CMS 3D CMS Logo
List of all members | Classes | Public Member Functions | Static Public Attributes | Private Member Functions | Private Attributes | Friends
cond::CredentialStore Class Reference

#include <CredentialStore.h>

Classes

struct  Permission
 

Public Member Functions

bool createSchema (const std::string &connectionString, const std::string &userName, const std::string &password)
 
 CredentialStore ()
 Standard Constructor. More...
 
bool drop (const std::string &connectionString, const std::string &userName, const std::string &password)
 
bool exportAll (coral_bridge::AuthenticationCredentialSet &data)
 
bool importForPrincipal (const std::string &principal, const coral_bridge::AuthenticationCredentialSet &data, bool forceUpdateConnection=false)
 import data More...
 
const std::string & keyPrincipalName ()
 
bool listConnections (std::map< std::string, std::pair< std::string, std::string > > &destination)
 
bool listPrincipals (std::vector< std::string > &destination)
 
bool removeConnection (const std::string &connectionLabel)
 
bool removePrincipal (const std::string &principal)
 
bool resetAdmin (const std::string &userName, const std::string &password)
 
bool selectForUser (coral_bridge::AuthenticationCredentialSet &destinationData)
 
bool selectPermissions (const std::string &principalName, const std::string &role, const std::string &connectionString, std::vector< Permission > &destination)
 
bool setPermission (const std::string &principal, const std::string &role, const std::string &connectionString, const std::string &connectionLabel)
 
std::string setUpForConnectionString (const std::string &connectionString, const std::string &authPath)
 
std::string setUpForService (const std::string &serviceName, const std::string &authPath)
 Sets the initialization parameters. More...
 
bool unsetPermission (const std::string &principal, const std::string &role, const std::string &connectionString)
 
bool updateConnection (const std::string &connectionLabel, const std::string &userName, const std::string &password)
 
bool updatePrincipal (const std::string &principal, const std::string &principalKey, bool setAdmin=false)
 
virtual ~CredentialStore ()
 Standard Destructor. More...
 

Static Public Attributes

static const std::string DEFAULT_DATA_SOURCE
 

Private Member Functions

void closeSession (bool commit=true)
 
std::pair< std::string, std::string > openConnection (const std::string &connectionString)
 
void openSession (bool readOnly=true)
 
void openSession (const std::string &schemaName, const std::string &userName, const std::string &password, bool readMode)
 
void startSession (bool readMode)
 
void startSuperSession (const std::string &connectionString, const std::string &userName, const std::string &password)
 

Private Attributes

std::shared_ptr< coral::IConnection > m_connection
 
auth::DecodingKey m_key
 
int m_principalId
 
std::string m_principalKey
 
const auth::ServiceCredentialsm_serviceData
 
std::string m_serviceName
 
std::shared_ptr< coral::ISession > m_session
 

Friends

class CSScopedSession
 

Detailed Description

Definition at line 77 of file CredentialStore.h.

Constructor & Destructor Documentation

◆ CredentialStore()

cond::CredentialStore::CredentialStore ( )

Standard Constructor.

Definition at line 673 of file CredentialStore.cc.

674  : m_connection(),
675  m_session(),
676  m_principalId(-1),
677  m_principalKey(""),
678  m_serviceName(""),
679  m_serviceData(nullptr),
680  m_key() {}

◆ ~CredentialStore()

cond::CredentialStore::~CredentialStore ( )
virtual

Standard Destructor.

Definition at line 682 of file CredentialStore.cc.

682 {}

Member Function Documentation

◆ closeSession()

void cond::CredentialStore::closeSession ( bool  commit = true)
private

Definition at line 518 of file CredentialStore.cc.

518  {
519  if (m_session.get()) {
520  if (m_session->transaction().isActive()) {
521  if (commit) {
522  m_session->transaction().commit();
523  } else {
524  m_session->transaction().rollback();
525  }
526  }
527  m_session->endUserSession();
528  }
529  m_session.reset();
530  if (m_connection.get()) {
531  m_connection->disconnect();
532  }
533  m_connection.reset();
534 }

◆ createSchema()

bool cond::CredentialStore::createSchema ( const std::string &  connectionString,
const std::string &  userName,
const std::string &  password 
)

Definition at line 740 of file CredentialStore.cc.

742  {
743  CSScopedSession session(*this);
744  session.startSuper(connectionString, userName, password);
745 
746  coral::ISchema& schema = m_session->nominalSchema();
747  if (schema.existsTable(COND_AUTHENTICATION_TABLE)) {
748  throwException("Credential database, already exists.", "CredentialStore::create");
749  }
750 
751  coral::TableDescription dseq;
752  dseq.setName(SEQUENCE_TABLE_NAME);
753 
754  dseq.insertColumn(SEQUENCE_NAME_COL, coral::AttributeSpecification::typeNameForType<std::string>());
755  dseq.setNotNullConstraint(SEQUENCE_NAME_COL);
756  dseq.insertColumn(SEQUENCE_VALUE_COL, coral::AttributeSpecification::typeNameForType<int>());
757  dseq.setNotNullConstraint(SEQUENCE_VALUE_COL);
758  dseq.setPrimaryKey(std::vector<std::string>(1, SEQUENCE_NAME_COL));
759  schema.createTable(dseq);
760 
761  int columnSize = 2000;
762 
763  // authentication table
764 
765  addSequence(schema, COND_AUTHENTICATION_TABLE);
766  coral::TableDescription descr0;
767  descr0.setName(COND_AUTHENTICATION_TABLE);
768  descr0.insertColumn(PRINCIPAL_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
769  descr0.insertColumn(
770  PRINCIPAL_NAME_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
771  descr0.insertColumn(
772  VERIFICATION_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
773  descr0.insertColumn(
774  PRINCIPAL_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
775  descr0.insertColumn(ADMIN_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
776  descr0.setNotNullConstraint(PRINCIPAL_ID_COL);
777  descr0.setNotNullConstraint(PRINCIPAL_NAME_COL);
778  descr0.setNotNullConstraint(VERIFICATION_COL);
779  descr0.setNotNullConstraint(PRINCIPAL_KEY_COL);
780  descr0.setNotNullConstraint(ADMIN_KEY_COL);
781  std::vector<std::string> columnsUnique;
782  columnsUnique.push_back(PRINCIPAL_NAME_COL);
783  descr0.setUniqueConstraint(columnsUnique);
784  std::vector<std::string> columnsForIndex;
785  columnsForIndex.push_back(PRINCIPAL_ID_COL);
786  descr0.setPrimaryKey(columnsForIndex);
787  schema.createTable(descr0);
788 
789  // authorization table
790  addSequence(schema, COND_AUTHORIZATION_TABLE);
791  coral::TableDescription descr1;
792  descr1.setName(COND_AUTHORIZATION_TABLE);
793  descr1.insertColumn(AUTH_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
794  descr1.insertColumn(P_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
795  descr1.insertColumn(ROLE_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
796  descr1.insertColumn(SCHEMA_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
797  descr1.insertColumn(AUTH_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
798  descr1.insertColumn(C_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
799  descr1.setNotNullConstraint(AUTH_ID_COL);
800  descr1.setNotNullConstraint(P_ID_COL);
801  descr1.setNotNullConstraint(ROLE_COL);
802  descr1.setNotNullConstraint(SCHEMA_COL);
803  descr1.setNotNullConstraint(AUTH_KEY_COL);
804  descr1.setNotNullConstraint(C_ID_COL);
805  columnsUnique.clear();
806  columnsUnique.push_back(P_ID_COL);
807  columnsUnique.push_back(ROLE_COL);
808  columnsUnique.push_back(SCHEMA_COL);
809  descr1.setUniqueConstraint(columnsUnique);
810  columnsForIndex.clear();
811  columnsForIndex.push_back(AUTH_ID_COL);
812  descr1.setPrimaryKey(columnsForIndex);
813  schema.createTable(descr1);
814 
815  // credential table
816  addSequence(schema, COND_CREDENTIAL_TABLE);
817  coral::TableDescription descr2;
818  descr2.setName(COND_CREDENTIAL_TABLE);
819  descr2.insertColumn(CONNECTION_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
820  descr2.insertColumn(
821  CONNECTION_LABEL_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
822  descr2.insertColumn(USERNAME_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
823  descr2.insertColumn(PASSWORD_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
824  descr2.insertColumn(
825  VERIFICATION_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
826  descr2.insertColumn(
827  CONNECTION_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
828  descr2.setNotNullConstraint(CONNECTION_ID_COL);
829  descr2.setNotNullConstraint(CONNECTION_LABEL_COL);
830  descr2.setNotNullConstraint(USERNAME_COL);
831  descr2.setNotNullConstraint(PASSWORD_COL);
832  descr2.setNotNullConstraint(VERIFICATION_KEY_COL);
833  descr2.setNotNullConstraint(CONNECTION_KEY_COL);
834  columnsUnique.clear();
835  columnsUnique.push_back(CONNECTION_LABEL_COL);
836  descr2.setUniqueConstraint(columnsUnique);
837  columnsForIndex.clear();
838  columnsForIndex.push_back(CONNECTION_ID_COL);
839  descr2.setPrimaryKey(columnsForIndex);
840  schema.createTable(descr2);
841 
842  try {
843  schema.tableHandle(COND_AUTHENTICATION_TABLE)
844  .privilegeManager()
845  .grantToUser(m_serviceData->userName, coral::ITablePrivilegeManager::Select);
846  schema.tableHandle(COND_AUTHORIZATION_TABLE)
847  .privilegeManager()
848  .grantToUser(m_serviceData->userName, coral::ITablePrivilegeManager::Select);
849  schema.tableHandle(COND_CREDENTIAL_TABLE)
850  .privilegeManager()
851  .grantToUser(m_serviceData->userName, coral::ITablePrivilegeManager::Select);
852  } catch (const coral::Exception& e) {
853  std::cout << "WARNING: Could not grant select access to user " << m_serviceData->userName << ": [" << e.what()
854  << "]" << std::endl;
855  }
856  auth::KeyGenerator gen;
857  m_principalKey = gen.make(auth::COND_DB_KEY_SIZE);
858  auto princData = updatePrincipalData(schema, m_key.principalKey(), m_key.principalName(), m_principalKey, true);
859  std::string credentialAccessLabel = schemaLabel(m_serviceName, userName);
860  auto connParams = updateConnectionData(schema, m_principalKey, credentialAccessLabel, userName, password, true);
861  bool ret = setPermissionData(schema,
862  princData.first,
863  m_principalKey,
864  auth::COND_ADMIN_ROLE,
865  connectionString,
866  connParams.first,
867  connParams.second);
868  session.close();
869  return ret;
870 }

References addSequence(), ADMIN_KEY_COL(), AUTH_ID_COL(), AUTH_KEY_COL(), C_ID_COL(), cond::CSScopedSession::close(), cond::auth::COND_ADMIN_ROLE, COND_AUTHENTICATION_TABLE(), COND_AUTHORIZATION_TABLE(), COND_CREDENTIAL_TABLE(), cond::auth::COND_DB_KEY_SIZE, CONNECTION_ID_COL(), CONNECTION_KEY_COL(), CONNECTION_LABEL_COL(), l1RCTOmdsFedVectorProducer_cfi::connectionString, gather_cfg::cout, MillePedeFileConverter_cfg::e, Exception, relval_steps::gen(), P_ID_COL(), EcalCondDBWriter_cfi::password, PASSWORD_COL(), PRINCIPAL_ID_COL(), PRINCIPAL_KEY_COL(), PRINCIPAL_NAME_COL(), runTheMatrix::ret, ROLE_COL(), SCHEMA_COL(), cond::schemaLabel(), SEQUENCE_NAME_COL(), SEQUENCE_TABLE_NAME(), SEQUENCE_VALUE_COL(), cond::setPermissionData(), cond::CSScopedSession::startSuper(), AlCaHLTBitMon_QueryRunRegistry::string, cond::throwException(), cond::updateConnectionData(), cond::updatePrincipalData(), EcalCondDBWriter_cfi::userName, USERNAME_COL(), VERIFICATION_COL(), and VERIFICATION_KEY_COL().

◆ drop()

bool cond::CredentialStore::drop ( const std::string &  connectionString,
const std::string &  userName,
const std::string &  password 
)

Definition at line 872 of file CredentialStore.cc.

874  {
875  CSScopedSession session(*this);
876  session.startSuper(connectionString, userName, password);
877 
878  coral::ISchema& schema = m_session->nominalSchema();
879  schema.dropIfExistsTable(COND_AUTHORIZATION_TABLE);
880  schema.dropIfExistsTable(COND_CREDENTIAL_TABLE);
881  schema.dropIfExistsTable(COND_AUTHENTICATION_TABLE);
882  schema.dropIfExistsTable(SEQUENCE_TABLE_NAME);
883  session.close();
884  return true;
885 }

References cond::CSScopedSession::close(), COND_AUTHENTICATION_TABLE(), COND_AUTHORIZATION_TABLE(), COND_CREDENTIAL_TABLE(), l1RCTOmdsFedVectorProducer_cfi::connectionString, EcalCondDBWriter_cfi::password, SEQUENCE_TABLE_NAME(), cond::CSScopedSession::startSuper(), and EcalCondDBWriter_cfi::userName.

◆ exportAll()

bool cond::CredentialStore::exportAll ( coral_bridge::AuthenticationCredentialSet data)

Definition at line 1414 of file CredentialStore.cc.

1414  {
1415  CSScopedSession session(*this);
1416  session.start(true);
1417  coral::ISchema& schema = m_session->nominalSchema();
1418  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1419  query->addToTableList(COND_AUTHORIZATION_TABLE, "AUTHO");
1420  query->addToTableList(COND_CREDENTIAL_TABLE, "CREDS");
1421  coral::AttributeList readBuff;
1422  readBuff.extend<std::string>("AUTHO." + ROLE_COL);
1423  readBuff.extend<std::string>("AUTHO." + SCHEMA_COL);
1424  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1425  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
1426  readBuff.extend<std::string>("CREDS." + CONNECTION_KEY_COL);
1427  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
1428  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
1429  coral::AttributeList whereData;
1430  std::stringstream whereClause;
1431  whereClause << "AUTHO." << C_ID_COL << "="
1432  << "CREDS." << CONNECTION_ID_COL;
1433 
1434  query->defineOutput(readBuff);
1435  query->addToOutputList("AUTHO." + ROLE_COL);
1436  query->addToOutputList("AUTHO." + SCHEMA_COL);
1437  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1438  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
1439  query->addToOutputList("CREDS." + CONNECTION_KEY_COL);
1440  query->addToOutputList("CREDS." + USERNAME_COL);
1441  query->addToOutputList("CREDS." + PASSWORD_COL);
1442  query->setCondition(whereClause.str(), whereData);
1443  coral::ICursor& cursor = query->execute();
1444  bool found = false;
1445  auth::Cipher cipher0(m_principalKey);
1446  while (cursor.next()) {
1447  const coral::AttributeList& row = cursor.currentRow();
1448  const std::string& role = row["AUTHO." + ROLE_COL].data<std::string>();
1449  const std::string& connectionString = row["AUTHO." + SCHEMA_COL].data<std::string>();
1450  const std::string& connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1451  const std::string& encryptedVerifKey = row["CREDS." + VERIFICATION_KEY_COL].data<std::string>();
1452  const std::string& encryptedConnection = row["CREDS." + CONNECTION_KEY_COL].data<std::string>();
1453  std::string userName("");
1454  std::string password("");
1455  std::string connectionKey = cipher0.b64decrypt(encryptedConnection);
1456  auth::Cipher cipher1(connectionKey);
1457  std::string verifKey = cipher1.b64decrypt(encryptedVerifKey);
1458  if (verifKey == connectionLabel) {
1459  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
1460  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
1461  userName = cipher1.b64decrypt(encryptedUserName);
1462  password = cipher1.b64decrypt(encryptedPassword);
1463  }
1464  data.registerCredentials(connectionString, role, userName, password);
1465  found = true;
1466  }
1467  session.close();
1468  return found;
1469 }

References cond::auth::Cipher::b64decrypt(), C_ID_COL(), cond::CSScopedSession::close(), COND_AUTHORIZATION_TABLE(), COND_CREDENTIAL_TABLE(), CONNECTION_ID_COL(), CONNECTION_KEY_COL(), CONNECTION_LABEL_COL(), l1RCTOmdsFedVectorProducer_cfi::connectionString, data, newFWLiteAna::found, EcalCondDBWriter_cfi::password, PASSWORD_COL(), contentValuesFiles::query, ROLE_COL(), SCHEMA_COL(), cond::CSScopedSession::start(), AlCaHLTBitMon_QueryRunRegistry::string, EcalCondDBWriter_cfi::userName, USERNAME_COL(), and VERIFICATION_KEY_COL().

◆ importForPrincipal()

bool cond::CredentialStore::importForPrincipal ( const std::string &  principal,
const coral_bridge::AuthenticationCredentialSet data,
bool  forceUpdateConnection = false 
)

import data

Definition at line 1244 of file CredentialStore.cc.

1246  {
1247  CSScopedSession session(*this);
1248  session.start(false);
1249  coral::ISchema& schema = m_session->nominalSchema();
1250 
1251  PrincipalData princData;
1252  bool found = selectPrincipal(schema, principal, princData);
1253 
1254  if (!found) {
1255  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1256  throwException(msg, "CredentialStore::importForPrincipal");
1257  }
1258 
1259  bool imported = false;
1260  auth::Cipher cipher(m_principalKey);
1261  std::string princKey = cipher.b64decrypt(princData.adminKey);
1262 
1263  const std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>& creds = dataSource.data();
1264  for (std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::const_iterator iConn =
1265  creds.begin();
1266  iConn != creds.end();
1267  ++iConn) {
1268  const std::string& connectionString = iConn->first.first;
1269  coral::URIParser parser;
1270  parser.setURI(connectionString);
1271  std::string serviceName = parser.hostName();
1272  const std::string& role = iConn->first.second;
1273  std::string userName = iConn->second->valueForItem(coral::IAuthenticationCredentials::userItem());
1274  std::string password = iConn->second->valueForItem(coral::IAuthenticationCredentials::passwordItem());
1275  // first import the connections
1276  std::pair<int, std::string> conn = updateConnectionData(
1277  schema, m_principalKey, schemaLabel(serviceName, userName), userName, password, forceUpdateConnection);
1278  auth::Cipher cipher(m_principalKey);
1279  // than set the permission for the specific role
1280  setPermissionData(schema, princData.id, princKey, role, connectionString, conn.first, conn.second);
1281  imported = true;
1282  }
1283  session.close();
1284  return imported;
1285 }

References cond::PrincipalData::adminKey, cond::auth::Cipher::b64decrypt(), cond::CSScopedSession::close(), SiStripCommissioningClient_cfg::conn, l1RCTOmdsFedVectorProducer_cfi::connectionString, L1TdeStage2CaloLayer1_cfi::dataSource, newFWLiteAna::found, cond::PrincipalData::id, genParticles_cff::map, mps_check::msg, writedatasetfile::parser, EcalCondDBWriter_cfi::password, cond::schemaLabel(), cond::selectPrincipal(), serviceName, cond::setPermissionData(), cond::CSScopedSession::start(), AlCaHLTBitMon_QueryRunRegistry::string, cond::throwException(), cond::updateConnectionData(), and EcalCondDBWriter_cfi::userName.

◆ keyPrincipalName()

const std::string & cond::CredentialStore::keyPrincipalName ( )

Definition at line 1471 of file CredentialStore.cc.

1471 { return m_key.principalName(); }

◆ listConnections()

bool cond::CredentialStore::listConnections ( std::map< std::string, std::pair< std::string, std::string > > &  destination)

Definition at line 1308 of file CredentialStore.cc.

1308  {
1309  CSScopedSession session(*this);
1310  session.start(true);
1311  coral::ISchema& schema = m_session->nominalSchema();
1312 
1313  std::unique_ptr<coral::IQuery> query(schema.tableHandle(COND_CREDENTIAL_TABLE).newQuery());
1314  coral::AttributeList readBuff;
1315  readBuff.extend<std::string>(CONNECTION_LABEL_COL);
1316  readBuff.extend<std::string>(USERNAME_COL);
1317  readBuff.extend<std::string>(PASSWORD_COL);
1318  readBuff.extend<std::string>(VERIFICATION_KEY_COL);
1319  readBuff.extend<std::string>(CONNECTION_KEY_COL);
1320  query->defineOutput(readBuff);
1321  query->addToOutputList(CONNECTION_LABEL_COL);
1322  query->addToOutputList(USERNAME_COL);
1323  query->addToOutputList(PASSWORD_COL);
1324  query->addToOutputList(VERIFICATION_KEY_COL);
1325  query->addToOutputList(CONNECTION_KEY_COL);
1326  coral::ICursor& cursor = query->execute();
1327  bool found = false;
1328  auth::Cipher cipher0(m_principalKey);
1329  while (cursor.next()) {
1330  std::string userName("");
1331  std::string password("");
1332  const coral::AttributeList& row = cursor.currentRow();
1333  const std::string& connLabel = row[CONNECTION_LABEL_COL].data<std::string>();
1334  const std::string& encryptedKey = row[CONNECTION_KEY_COL].data<std::string>();
1335  const std::string& encryptedVerif = row[VERIFICATION_KEY_COL].data<std::string>();
1336  std::string connKey = cipher0.b64decrypt(encryptedKey);
1337  auth::Cipher cipher1(connKey);
1338  std::string verif = cipher1.b64decrypt(encryptedVerif);
1339  if (verif == connLabel) {
1340  const std::string& encryptedUserName = row[USERNAME_COL].data<std::string>();
1341  const std::string& encryptedPassword = row[PASSWORD_COL].data<std::string>();
1342  userName = cipher1.b64decrypt(encryptedUserName);
1343  password = cipher1.b64decrypt(encryptedPassword);
1344  }
1345  destination.insert(std::make_pair(connLabel, std::make_pair(userName, password)));
1346  found = true;
1347  }
1348  session.close();
1349  return found;
1350 }

References cond::auth::Cipher::b64decrypt(), cond::CSScopedSession::close(), COND_CREDENTIAL_TABLE(), CONNECTION_KEY_COL(), CONNECTION_LABEL_COL(), HLTMuonOfflineAnalyzer_cff::destination, newFWLiteAna::found, EcalCondDBWriter_cfi::password, PASSWORD_COL(), contentValuesFiles::query, cond::CSScopedSession::start(), AlCaHLTBitMon_QueryRunRegistry::string, EcalCondDBWriter_cfi::userName, USERNAME_COL(), and VERIFICATION_KEY_COL().

◆ listPrincipals()

bool cond::CredentialStore::listPrincipals ( std::vector< std::string > &  destination)

Definition at line 1287 of file CredentialStore.cc.

1287  {
1288  CSScopedSession session(*this);
1289  session.start(true);
1290  coral::ISchema& schema = m_session->nominalSchema();
1291 
1292  std::unique_ptr<coral::IQuery> query(schema.tableHandle(COND_AUTHENTICATION_TABLE).newQuery());
1293  coral::AttributeList readBuff;
1294  readBuff.extend<std::string>(PRINCIPAL_NAME_COL);
1295  query->defineOutput(readBuff);
1296  query->addToOutputList(PRINCIPAL_NAME_COL);
1297  coral::ICursor& cursor = query->execute();
1298  bool found = false;
1299  while (cursor.next()) {
1300  found = true;
1301  const coral::AttributeList& row = cursor.currentRow();
1302  destination.push_back(row[PRINCIPAL_NAME_COL].data<std::string>());
1303  }
1304  session.close();
1305  return found;
1306 }

References cond::CSScopedSession::close(), COND_AUTHENTICATION_TABLE(), HLTMuonOfflineAnalyzer_cff::destination, newFWLiteAna::found, PRINCIPAL_NAME_COL(), contentValuesFiles::query, cond::CSScopedSession::start(), and AlCaHLTBitMon_QueryRunRegistry::string.

◆ openConnection()

std::pair< std::string, std::string > cond::CredentialStore::openConnection ( const std::string &  connectionString)
private

Definition at line 536 of file CredentialStore.cc.

536  {
537  coral::IHandle<coral::IRelationalService> relationalService =
538  coral::Context::instance().query<coral::IRelationalService>();
539  if (!relationalService.isValid()) {
540  coral::Context::instance().loadComponent("CORAL/Services/RelationalService");
541  relationalService = coral::Context::instance().query<coral::IRelationalService>();
542  }
543  coral::IRelationalDomain& domain = relationalService->domainForConnection(connectionString);
544  std::pair<std::string, std::string> connTokens = domain.decodeUserConnectionString(connectionString);
545  m_connection.reset(domain.newConnection(connTokens.first));
546  m_connection->connect();
547  return connTokens;
548 }

References l1RCTOmdsFedVectorProducer_cfi::connectionString, and instance.

◆ openSession() [1/2]

void cond::CredentialStore::openSession ( bool  readOnly = true)
private

◆ openSession() [2/2]

void cond::CredentialStore::openSession ( const std::string &  schemaName,
const std::string &  userName,
const std::string &  password,
bool  readMode 
)
private

Definition at line 550 of file CredentialStore.cc.

553  {
554  coral::AccessMode accessMode = coral::ReadOnly;
555  if (!readMode)
556  accessMode = coral::Update;
557  m_session.reset(m_connection->newSession(schemaName, accessMode));
558  m_session->startUserSession(userName, password);
559  // open read-only transaction
560  m_session->transaction().start(readMode);
561 }

References EcalCondDBWriter_cfi::password, and EcalCondDBWriter_cfi::userName.

◆ removeConnection()

bool cond::CredentialStore::removeConnection ( const std::string &  connectionLabel)

Definition at line 1154 of file CredentialStore.cc.

1154  {
1155  CSScopedSession session(*this);
1156  session.start(false);
1157  coral::ISchema& schema = m_session->nominalSchema();
1158 
1159  CredentialData credsData;
1160  bool found = selectConnection(schema, connectionLabel, credsData);
1161 
1162  if (!found) {
1163  std::string msg = "Connection named \"" + connectionLabel + "\" does not exist in the database.";
1164  throwException(msg, "CredentialStore::removeConnection");
1165  }
1166 
1167  coral::ITableDataEditor& editor0 = schema.tableHandle(COND_AUTHORIZATION_TABLE).dataEditor();
1168 
1169  coral::AttributeList deleteData0;
1170  deleteData0.extend<int>(C_ID_COL);
1171  deleteData0[C_ID_COL].data<int>() = credsData.id;
1172  std::string whereClause0 = C_ID_COL + " = :" + C_ID_COL;
1173  editor0.deleteRows(whereClause0, deleteData0);
1174 
1175  coral::ITableDataEditor& editor1 = schema.tableHandle(COND_CREDENTIAL_TABLE).dataEditor();
1176 
1177  coral::AttributeList deleteData1;
1178  deleteData1.extend<int>(CONNECTION_ID_COL);
1179  deleteData1[CONNECTION_ID_COL].data<int>() = credsData.id;
1180  std::string whereClause1 = CONNECTION_ID_COL + " = :" + CONNECTION_ID_COL;
1181  editor1.deleteRows(whereClause1, deleteData1);
1182 
1183  session.close();
1184 
1185  return true;
1186 }

References C_ID_COL(), cond::CSScopedSession::close(), COND_AUTHORIZATION_TABLE(), COND_CREDENTIAL_TABLE(), CONNECTION_ID_COL(), newFWLiteAna::found, cond::CredentialData::id, mps_check::msg, cond::selectConnection(), cond::CSScopedSession::start(), AlCaHLTBitMon_QueryRunRegistry::string, and cond::throwException().

◆ removePrincipal()

bool cond::CredentialStore::removePrincipal ( const std::string &  principal)

Definition at line 1120 of file CredentialStore.cc.

1120  {
1121  CSScopedSession session(*this);
1122  session.start(false);
1123  coral::ISchema& schema = m_session->nominalSchema();
1124 
1125  PrincipalData princData;
1126  bool found = selectPrincipal(schema, principal, princData);
1127 
1128  if (!found) {
1129  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1130  throwException(msg, "CredentialStore::removePrincipal");
1131  }
1132 
1133  coral::ITableDataEditor& editor0 = schema.tableHandle(COND_AUTHORIZATION_TABLE).dataEditor();
1134 
1135  coral::AttributeList deleteData0;
1136  deleteData0.extend<int>(P_ID_COL);
1137  deleteData0[P_ID_COL].data<int>() = princData.id;
1138  std::string whereClause0 = P_ID_COL + " = :" + P_ID_COL;
1139  editor0.deleteRows(whereClause0, deleteData0);
1140 
1141  coral::ITableDataEditor& editor1 = schema.tableHandle(COND_AUTHENTICATION_TABLE).dataEditor();
1142 
1143  coral::AttributeList deleteData1;
1144  deleteData1.extend<int>(PRINCIPAL_ID_COL);
1145  deleteData1[PRINCIPAL_ID_COL].data<int>() = princData.id;
1146  std::string whereClause1 = PRINCIPAL_ID_COL + " = :" + PRINCIPAL_ID_COL;
1147  editor1.deleteRows(whereClause1, deleteData1);
1148 
1149  session.close();
1150 
1151  return true;
1152 }

References cond::CSScopedSession::close(), COND_AUTHENTICATION_TABLE(), COND_AUTHORIZATION_TABLE(), newFWLiteAna::found, cond::PrincipalData::id, mps_check::msg, P_ID_COL(), PRINCIPAL_ID_COL(), cond::selectPrincipal(), cond::CSScopedSession::start(), AlCaHLTBitMon_QueryRunRegistry::string, and cond::throwException().

◆ resetAdmin()

bool cond::CredentialStore::resetAdmin ( const std::string &  userName,
const std::string &  password 
)

Definition at line 887 of file CredentialStore.cc.

887  {
888  if (!m_serviceData) {
889  throwException("The credential store has not been initialized.", "cond::CredentialStore::installAdmin");
890  }
891  const std::string& connectionString = m_serviceData->connectionString;
892 
893  CSScopedSession session(*this);
894  session.startSuper(connectionString, userName, password);
895 
896  coral::ISchema& schema = m_session->nominalSchema();
897  const std::string& principalName = m_key.principalName();
898  const std::string& authenticationKey = m_key.principalKey();
899  PrincipalData princData;
900  if (!selectPrincipal(schema, principalName, princData)) {
901  std::string msg("User \"");
902  msg += principalName + "\" has not been found.";
903  throwException(msg, "CredentialStore::resetAdmin");
904  }
905  auth::Cipher cipher0(authenticationKey);
906  m_principalKey = cipher0.b64decrypt(princData.principalKey);
907 
908  auto p = updatePrincipalData(schema, authenticationKey, principalName, m_principalKey);
909  std::string credentialAccessLabel = schemaLabel(m_serviceName, userName);
910  auto connParams = updateConnectionData(schema, m_principalKey, credentialAccessLabel, userName, password, true);
911  bool ret = setPermissionData(
912  schema, p.first, m_principalKey, auth::COND_ADMIN_ROLE, connectionString, connParams.first, connParams.second);
913  session.close();
914  return ret;
915 }

References cond::auth::Cipher::b64decrypt(), cond::CSScopedSession::close(), cond::auth::COND_ADMIN_ROLE, l1RCTOmdsFedVectorProducer_cfi::connectionString, mps_check::msg, AlCaHLTBitMon_ParallelJobs::p, EcalCondDBWriter_cfi::password, cond::PrincipalData::principalKey, runTheMatrix::ret, cond::schemaLabel(), cond::selectPrincipal(), cond::setPermissionData(), cond::CSScopedSession::startSuper(), AlCaHLTBitMon_QueryRunRegistry::string, cond::throwException(), cond::updateConnectionData(), cond::updatePrincipalData(), and EcalCondDBWriter_cfi::userName.

◆ selectForUser()

bool cond::CredentialStore::selectForUser ( coral_bridge::AuthenticationCredentialSet destinationData)

Definition at line 1188 of file CredentialStore.cc.

1188  {
1189  CSScopedSession session(*this);
1190  session.start(true);
1191  coral::ISchema& schema = m_session->nominalSchema();
1192 
1193  auth::Cipher cipher(m_principalKey);
1194 
1195  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1196  query->addToTableList(COND_AUTHORIZATION_TABLE, "AUTHO");
1197  query->addToTableList(COND_CREDENTIAL_TABLE, "CREDS");
1198  coral::AttributeList readBuff;
1199  readBuff.extend<std::string>("AUTHO." + ROLE_COL);
1200  readBuff.extend<std::string>("AUTHO." + SCHEMA_COL);
1201  readBuff.extend<std::string>("AUTHO." + AUTH_KEY_COL);
1202  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1203  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
1204  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
1205  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
1206  coral::AttributeList whereData;
1207  whereData.extend<int>(P_ID_COL);
1208  whereData[P_ID_COL].data<int>() = m_principalId;
1209  std::stringstream whereClause;
1210  whereClause << "AUTHO." << C_ID_COL << "="
1211  << "CREDS." << CONNECTION_ID_COL;
1212  whereClause << " AND "
1213  << "AUTHO." << P_ID_COL << " = :" << P_ID_COL;
1214  query->defineOutput(readBuff);
1215  query->addToOutputList("AUTHO." + ROLE_COL);
1216  query->addToOutputList("AUTHO." + SCHEMA_COL);
1217  query->addToOutputList("AUTHO." + AUTH_KEY_COL);
1218  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1219  query->addToOutputList("CREDS." + USERNAME_COL);
1220  query->addToOutputList("CREDS." + PASSWORD_COL);
1221  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
1222  query->setCondition(whereClause.str(), whereData);
1223  coral::ICursor& cursor = query->execute();
1224  while (cursor.next()) {
1225  const coral::AttributeList& row = cursor.currentRow();
1226  const std::string& role = row["AUTHO." + ROLE_COL].data<std::string>();
1227  const std::string& connectionString = row["AUTHO." + SCHEMA_COL].data<std::string>();
1228  const std::string& encryptedAuthKey = row["AUTHO." + AUTH_KEY_COL].data<std::string>();
1229  const std::string& connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1230  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
1231  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
1232  const std::string& encryptedLabel = row["CREDS." + VERIFICATION_KEY_COL].data<std::string>();
1233  std::string authKey = cipher.b64decrypt(encryptedAuthKey);
1234  auth::Cipher connCipher(authKey);
1235  if (connCipher.b64decrypt(encryptedLabel) == connectionLabel) {
1236  destinationData.registerCredentials(
1237  connectionString, role, connCipher.b64decrypt(encryptedUserName), connCipher.b64decrypt(encryptedPassword));
1238  }
1239  }
1240  session.close();
1241  return true;
1242 }

References AUTH_KEY_COL(), cond::auth::Cipher::b64decrypt(), C_ID_COL(), cond::CSScopedSession::close(), COND_AUTHORIZATION_TABLE(), COND_CREDENTIAL_TABLE(), CONNECTION_ID_COL(), CONNECTION_LABEL_COL(), l1RCTOmdsFedVectorProducer_cfi::connectionString, P_ID_COL(), PASSWORD_COL(), contentValuesFiles::query, coral_bridge::AuthenticationCredentialSet::registerCredentials(), ROLE_COL(), SCHEMA_COL(), cond::CSScopedSession::start(), AlCaHLTBitMon_QueryRunRegistry::string, USERNAME_COL(), and VERIFICATION_KEY_COL().

◆ selectPermissions()

bool cond::CredentialStore::selectPermissions ( const std::string &  principalName,
const std::string &  role,
const std::string &  connectionString,
std::vector< Permission > &  destination 
)

Definition at line 1352 of file CredentialStore.cc.

1355  {
1356  CSScopedSession session(*this);
1357  session.start(true);
1358  coral::ISchema& schema = m_session->nominalSchema();
1359  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1360  query->addToTableList(COND_AUTHENTICATION_TABLE, "AUTHE");
1361  query->addToTableList(COND_AUTHORIZATION_TABLE, "AUTHO");
1362  query->addToTableList(COND_CREDENTIAL_TABLE, "CREDS");
1363  coral::AttributeList readBuff;
1364  readBuff.extend<std::string>("AUTHE." + PRINCIPAL_NAME_COL);
1365  readBuff.extend<std::string>("AUTHO." + ROLE_COL);
1366  readBuff.extend<std::string>("AUTHO." + SCHEMA_COL);
1367  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1368  coral::AttributeList whereData;
1369  std::stringstream whereClause;
1370  whereClause << "AUTHE." << PRINCIPAL_ID_COL << "= AUTHO." << P_ID_COL;
1371  whereClause << " AND AUTHO." << C_ID_COL << "="
1372  << "CREDS." << CONNECTION_ID_COL;
1373  if (!principalName.empty()) {
1374  whereData.extend<std::string>(PRINCIPAL_NAME_COL);
1375  whereData[PRINCIPAL_NAME_COL].data<std::string>() = principalName;
1376  whereClause << " AND AUTHE." << PRINCIPAL_NAME_COL << " = :" << PRINCIPAL_NAME_COL;
1377  }
1378  if (!role.empty()) {
1379  whereData.extend<std::string>(ROLE_COL);
1380  whereData[ROLE_COL].data<std::string>() = role;
1381  whereClause << " AND AUTHO." << ROLE_COL << " = :" << ROLE_COL;
1382  }
1383  if (!connectionString.empty()) {
1384  whereData.extend<std::string>(SCHEMA_COL);
1385  whereData[SCHEMA_COL].data<std::string>() = connectionString;
1386  whereClause << " AND AUTHO." << SCHEMA_COL << " = :" << SCHEMA_COL;
1387  }
1388 
1389  query->defineOutput(readBuff);
1390  query->addToOutputList("AUTHE." + PRINCIPAL_NAME_COL);
1391  query->addToOutputList("AUTHO." + ROLE_COL);
1392  query->addToOutputList("AUTHO." + SCHEMA_COL);
1393  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1394  query->setCondition(whereClause.str(), whereData);
1395  query->addToOrderList("AUTHO." + SCHEMA_COL);
1396  query->addToOrderList("AUTHE." + PRINCIPAL_NAME_COL);
1397  query->addToOrderList("AUTHO." + ROLE_COL);
1398  coral::ICursor& cursor = query->execute();
1399  bool found = false;
1400  while (cursor.next()) {
1401  const coral::AttributeList& row = cursor.currentRow();
1402  destination.resize(destination.size() + 1);
1403  Permission& perm = destination.back();
1404  perm.principalName = row["AUTHE." + PRINCIPAL_NAME_COL].data<std::string>();
1405  perm.role = row["AUTHO." + ROLE_COL].data<std::string>();
1406  perm.connectionString = row["AUTHO." + SCHEMA_COL].data<std::string>();
1407  perm.connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1408  found = true;
1409  }
1410  session.close();
1411  return found;
1412 }

References C_ID_COL(), cond::CSScopedSession::close(), COND_AUTHENTICATION_TABLE(), COND_AUTHORIZATION_TABLE(), COND_CREDENTIAL_TABLE(), CONNECTION_ID_COL(), CONNECTION_LABEL_COL(), cond::CredentialStore::Permission::connectionLabel, l1RCTOmdsFedVectorProducer_cfi::connectionString, cond::CredentialStore::Permission::connectionString, HLTMuonOfflineAnalyzer_cff::destination, newFWLiteAna::found, P_ID_COL(), PRINCIPAL_ID_COL(), PRINCIPAL_NAME_COL(), cond::CredentialStore::Permission::principalName, contentValuesFiles::query, cond::CredentialStore::Permission::role, ROLE_COL(), SCHEMA_COL(), cond::CSScopedSession::start(), and AlCaHLTBitMon_QueryRunRegistry::string.

◆ setPermission()

bool cond::CredentialStore::setPermission ( const std::string &  principal,
const std::string &  role,
const std::string &  connectionString,
const std::string &  connectionLabel 
)

Definition at line 1037 of file CredentialStore.cc.

1040  {
1041  CSScopedSession session(*this);
1042  session.start(false);
1043 
1044  coral::ISchema& schema = m_session->nominalSchema();
1045 
1046  PrincipalData princData;
1047  bool found = selectPrincipal(schema, principal, princData);
1048 
1049  if (!found) {
1050  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1051  throwException(msg, "CredentialStore::setPermission");
1052  }
1053 
1054  CredentialData credsData;
1055  found = selectConnection(schema, connectionLabel, credsData);
1056 
1057  if (!found) {
1058  std::string msg = "Connection named \"" + connectionLabel + "\" does not exist in the database.";
1059  throwException(msg, "CredentialStore::setPermission");
1060  }
1061 
1062  auth::Cipher cipher(m_principalKey);
1063  bool ret = setPermissionData(schema,
1064  princData.id,
1065  cipher.b64decrypt(princData.adminKey),
1066  role,
1067  connectionString,
1068  credsData.id,
1069  cipher.b64decrypt(credsData.connectionKey));
1070  session.close();
1071  return ret;
1072 }

References cond::PrincipalData::adminKey, cond::auth::Cipher::b64decrypt(), cond::CSScopedSession::close(), cond::CredentialData::connectionKey, l1RCTOmdsFedVectorProducer_cfi::connectionString, newFWLiteAna::found, cond::PrincipalData::id, cond::CredentialData::id, mps_check::msg, runTheMatrix::ret, cond::selectConnection(), cond::selectPrincipal(), cond::setPermissionData(), cond::CSScopedSession::start(), AlCaHLTBitMon_QueryRunRegistry::string, and cond::throwException().

◆ setUpForConnectionString()

std::string cond::CredentialStore::setUpForConnectionString ( const std::string &  connectionString,
const std::string &  authPath 
)

Definition at line 714 of file CredentialStore.cc.

715  {
716  coral::IHandle<coral::IRelationalService> relationalService =
717  coral::Context::instance().query<coral::IRelationalService>();
718  if (!relationalService.isValid()) {
719  coral::Context::instance().loadComponent("CORAL/Services/RelationalService");
720  relationalService = coral::Context::instance().query<coral::IRelationalService>();
721  }
722  coral::IRelationalDomain& domain = relationalService->domainForConnection(connectionString);
723  std::pair<std::string, std::string> connTokens = domain.decodeUserConnectionString(connectionString);
724  std::string& serviceName = connTokens.first;
725  return setUpForService(serviceName, authPath);
726 }

References lumi_dqm_sourceclient-live_cfg::authPath, l1RCTOmdsFedVectorProducer_cfi::connectionString, instance, serviceName, and AlCaHLTBitMon_QueryRunRegistry::string.

◆ setUpForService()

std::string cond::CredentialStore::setUpForService ( const std::string &  serviceName,
const std::string &  authPath 
)

Sets the initialization parameters.

Definition at line 684 of file CredentialStore.cc.

684  {
685  if (serviceName.empty()) {
686  throwException("Service name has not been provided.", "cond::CredentialStore::setUpConnection");
687  }
688  m_serviceName.clear();
689  m_serviceData = nullptr;
690 
691  if (authPath.empty()) {
692  throwException("The authentication Path has not been provided.", "cond::CredentialStore::setUpForService");
693  }
694  boost::filesystem::path fullPath(authPath);
695  if (!boost::filesystem::exists(authPath) || !boost::filesystem::is_directory(authPath)) {
696  throwException("Authentication Path is invalid.", "cond::CredentialStore::setUpForService");
697  }
698  boost::filesystem::path file(auth::DecodingKey::FILE_PATH);
699  fullPath /= file;
700 
701  m_key.init(fullPath.string(), auth::COND_KEY);
702 
703  std::map<std::string, auth::ServiceCredentials>::const_iterator iK = m_key.services().find(serviceName);
704  if (iK == m_key.services().end()) {
705  std::string msg("");
706  msg += "Service \"" + serviceName + "\" can't be open with the current key.";
707  throwException(msg, "cond::CredentialStore::setUpConnection");
708  }
709  m_serviceName = serviceName;
710  m_serviceData = &iK->second;
711  return m_serviceData->connectionString;
712 }

References lumi_dqm_sourceclient-live_cfg::authPath, cond::auth::COND_KEY, FrontierConditions_GlobalTag_cff::file, cond::auth::DecodingKey::FILE_PATH, contentValuesFiles::fullPath, mps_check::msg, castor_dqm_sourceclient_file_cfg::path, serviceName, AlCaHLTBitMon_QueryRunRegistry::string, and cond::throwException().

◆ startSession()

void cond::CredentialStore::startSession ( bool  readMode)
private

Definition at line 571 of file CredentialStore.cc.

571  {
572  if (!m_serviceData) {
573  throwException("The credential store has not been initialized.", "cond::CredentialStore::openConnection");
574  }
575  const std::string& storeConnectionString = m_serviceData->connectionString;
576 
577  std::pair<std::string, std::string> connTokens = openConnection(storeConnectionString);
578 
579  const std::string& userName = m_serviceData->userName;
580  const std::string& password = m_serviceData->password;
581 
582  openSession(connTokens.second, userName, password, true);
583 
584  coral::ISchema& schema = m_session->nominalSchema();
585  if (!schema.existsTable(COND_AUTHENTICATION_TABLE) || !schema.existsTable(COND_AUTHORIZATION_TABLE) ||
586  !schema.existsTable(COND_CREDENTIAL_TABLE)) {
587  throwException("Credential database does not exists in \"" + storeConnectionString + "\"",
588  "CredentialStore::startSession");
589  }
590 
591  const std::string& principalName = m_key.principalName();
592  // now authenticate...
593  PrincipalData princData;
594  if (!selectPrincipal(m_session->nominalSchema(), principalName, princData)) {
595  throwException("Invalid credentials provided.(0)", "CredentialStore::startSession");
596  }
597  auth::Cipher cipher0(m_key.principalKey());
598  std::string verifStr = cipher0.b64decrypt(princData.verifKey);
599  if (verifStr != principalName) {
600  throwException("Invalid credentials provided (1)", "CredentialStore::startSession");
601  }
602  // ok, authenticated!
603  m_principalId = princData.id;
604  m_principalKey = cipher0.b64decrypt(princData.principalKey);
605 
606  if (!readMode) {
607  auth::Cipher cipher0(m_principalKey);
608  std::string adminKey = cipher0.b64decrypt(princData.adminKey);
609  if (adminKey != m_principalKey) {
610  // not admin user!
611  throwException("Provided credentials does not allow admin operation.", "CredentialStore::openSession");
612  }
613 
614  // first find the credentials for WRITING in the security tables
615  std::unique_ptr<coral::IQuery> query(schema.newQuery());
616  query->addToTableList(COND_AUTHORIZATION_TABLE, "AUTHO");
617  query->addToTableList(COND_CREDENTIAL_TABLE, "CREDS");
618  coral::AttributeList readBuff;
619  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
620  readBuff.extend<std::string>("CREDS." + CONNECTION_KEY_COL);
621  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
622  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
623  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
624  coral::AttributeList whereData;
625  whereData.extend<int>(P_ID_COL);
626  whereData.extend<std::string>(ROLE_COL);
627  whereData.extend<std::string>(SCHEMA_COL);
628  whereData[P_ID_COL].data<int>() = m_principalId;
629  whereData[ROLE_COL].data<std::string>() = auth::COND_ADMIN_ROLE;
630  whereData[SCHEMA_COL].data<std::string>() = storeConnectionString;
631  std::stringstream whereClause;
632  whereClause << "AUTHO." << C_ID_COL << " = CREDS." << CONNECTION_ID_COL;
633  whereClause << " AND AUTHO." << P_ID_COL << " = :" << P_ID_COL;
634  whereClause << " AND AUTHO." << ROLE_COL << " = :" << ROLE_COL;
635  whereClause << " AND AUTHO." << SCHEMA_COL << " = :" << SCHEMA_COL;
636  query->defineOutput(readBuff);
637  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
638  query->addToOutputList("CREDS." + CONNECTION_KEY_COL);
639  query->addToOutputList("CREDS." + USERNAME_COL);
640  query->addToOutputList("CREDS." + PASSWORD_COL);
641  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
642  query->setCondition(whereClause.str(), whereData);
643  coral::ICursor& cursor = query->execute();
644  bool found = false;
645  std::string writeUserName("");
646  std::string writePassword("");
647  if (cursor.next()) {
648  const coral::AttributeList& row = cursor.currentRow();
649  const std::string& connLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
650  const std::string& encryptedConnectionKey = row["CREDS." + CONNECTION_KEY_COL].data<std::string>();
651  std::string connectionKey = cipher0.b64decrypt(encryptedConnectionKey);
652  auth::Cipher cipher1(connectionKey);
653  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
654  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
655  const std::string& verificationKey = row["CREDS." + VERIFICATION_KEY_COL].data<std::string>();
656  if (cipher1.b64decrypt(verificationKey) != connLabel) {
657  throwException("Could not decrypt credentials.Provided key is invalid.", "CredentialStore::startSession");
658  }
659  writeUserName = cipher1.b64decrypt(encryptedUserName);
660  writePassword = cipher1.b64decrypt(encryptedPassword);
661  found = true;
662  }
663  if (!found) {
664  throwException("Provided credentials are invalid for write access.", "CredentialStore::openSession");
665  }
666  m_session->transaction().commit();
667  m_session->endUserSession();
668  openSession(connTokens.second, writeUserName, writePassword, false);
669  }
670 }

References cond::PrincipalData::adminKey, cond::auth::Cipher::b64decrypt(), C_ID_COL(), cond::auth::COND_ADMIN_ROLE, COND_AUTHENTICATION_TABLE(), COND_AUTHORIZATION_TABLE(), COND_CREDENTIAL_TABLE(), CONNECTION_ID_COL(), CONNECTION_KEY_COL(), CONNECTION_LABEL_COL(), newFWLiteAna::found, cond::PrincipalData::id, P_ID_COL(), EcalCondDBWriter_cfi::password, PASSWORD_COL(), cond::PrincipalData::principalKey, contentValuesFiles::query, ROLE_COL(), SCHEMA_COL(), cond::selectPrincipal(), AlCaHLTBitMon_QueryRunRegistry::string, cond::persistency::throwException(), EcalCondDBWriter_cfi::userName, USERNAME_COL(), VERIFICATION_KEY_COL(), and cond::PrincipalData::verifKey.

◆ startSuperSession()

void cond::CredentialStore::startSuperSession ( const std::string &  connectionString,
const std::string &  userName,
const std::string &  password 
)
private

Definition at line 563 of file CredentialStore.cc.

565  {
566  std::pair<std::string, std::string> connTokens = openConnection(connectionString);
567  openSession(connTokens.second, userName, password, false);
568 }

References l1RCTOmdsFedVectorProducer_cfi::connectionString, EcalCondDBWriter_cfi::password, and EcalCondDBWriter_cfi::userName.

◆ unsetPermission()

bool cond::CredentialStore::unsetPermission ( const std::string &  principal,
const std::string &  role,
const std::string &  connectionString 
)

Definition at line 1074 of file CredentialStore.cc.

1076  {
1077  CSScopedSession session(*this);
1078  session.start(false);
1079  coral::ISchema& schema = m_session->nominalSchema();
1080 
1081  PrincipalData princData;
1082  bool found = selectPrincipal(schema, principal, princData);
1083 
1084  if (!found) {
1085  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1086  throwException(msg, "CredentialStore::unsetPermission");
1087  }
1088 
1089  coral::ITableDataEditor& editor = schema.tableHandle(COND_AUTHORIZATION_TABLE).dataEditor();
1090  coral::AttributeList deleteData;
1091  deleteData.extend<int>(P_ID_COL);
1092  deleteData.extend<std::string>(ROLE_COL);
1093  deleteData.extend<std::string>(SCHEMA_COL);
1094  deleteData[P_ID_COL].data<int>() = princData.id;
1095  deleteData[ROLE_COL].data<std::string>() = role;
1096  deleteData[SCHEMA_COL].data<std::string>() = connectionString;
1097  std::stringstream whereClause;
1098  whereClause << P_ID_COL + " = :" + P_ID_COL;
1099  whereClause << " AND " << ROLE_COL << " = :" << ROLE_COL;
1100  whereClause << " AND " << SCHEMA_COL << " = :" << SCHEMA_COL;
1101  editor.deleteRows(whereClause.str(), deleteData);
1102  session.close();
1103  return true;
1104 }

References cond::CSScopedSession::close(), COND_AUTHORIZATION_TABLE(), l1RCTOmdsFedVectorProducer_cfi::connectionString, newFWLiteAna::found, cond::PrincipalData::id, mps_check::msg, P_ID_COL(), ROLE_COL(), SCHEMA_COL(), cond::selectPrincipal(), cond::CSScopedSession::start(), AlCaHLTBitMon_QueryRunRegistry::string, and cond::throwException().

◆ updateConnection()

bool cond::CredentialStore::updateConnection ( const std::string &  connectionLabel,
const std::string &  userName,
const std::string &  password 
)

Definition at line 1106 of file CredentialStore.cc.

1108  {
1109  CSScopedSession session(*this);
1110  session.start(false);
1111 
1112  m_session->transaction().start();
1113  coral::ISchema& schema = m_session->nominalSchema();
1114  updateConnectionData(schema, m_principalKey, connectionLabel, userName, password, true);
1115 
1116  session.close();
1117  return true;
1118 }

References cond::CSScopedSession::close(), EcalCondDBWriter_cfi::password, cond::CSScopedSession::start(), cond::updateConnectionData(), and EcalCondDBWriter_cfi::userName.

◆ updatePrincipal()

bool cond::CredentialStore::updatePrincipal ( const std::string &  principalName,
const std::string &  authenticationKey,
bool  setAdmin = false 
)

bool cond::CredentialStore::installAdmin( const std::string& userName, const std::string& password ){ if(!m_serviceData){ throwException( "The credential store has not been initialized.","cond::CredentialStore::installAdmin" );
} const std::string& connectionString = m_serviceData->connectionString; const std::string& principalName = m_key.principalName();

CSScopedSession session( *this ); session.startSuper( connectionString, userName, password );

coral::ISchema& schema = m_session->nominalSchema();

PrincipalData princData; bool found = selectPrincipal( schema, principalName, princData );

if( found ){ std::string msg("Principal \""); msg += principalName + "" has been installed already."; throwException(msg,"CredentialStore::installAdmin"); }

auth::KeyGenerator gen; m_principalKey = gen.make( auth::COND_DB_KEY_SIZE );

coral::ITableDataEditor& editor0 = schema.tableHandle(COND_AUTHENTICATION_TABLE).dataEditor();

int principalId = -1; if( !getNextSequenceValue( schema, COND_AUTHENTICATION_TABLE, principalId ) ) throwException( "Can't find "+COND_AUTHENTICATION_TABLE+" sequence.","CredentialStore::installAdmin" );

auth::Cipher cipher0( m_key.principalKey() ); auth::Cipher cipher1( m_principalKey );

coral::AttributeList authData; editor0.rowBuffer(authData); authData[ PRINCIPAL_ID_COL ].data<int>() = principalId; authData[ PRINCIPAL_NAME_COL ].data<std::string>() = principalName; authData[ VERIFICATION_COL ].data<std::string>() = cipher0.b64encrypt( principalName ); authData[ PRINCIPAL_KEY_COL ].data<std::string>() = cipher0.b64encrypt( m_principalKey ); authData[ ADMIN_KEY_COL ].data<std::string>() = cipher1.b64encrypt( m_principalKey ); editor0.insertRow( authData );

std::string connLabel = schemaLabelForCredentialStore( connectionString ); auth::DecodingKey tmpKey; std::string connectionKey = gen.make( auth::COND_DB_KEY_SIZE ); std::string encryptedConnectionKey = cipher1.b64encrypt( connectionKey );

auth::Cipher cipher2( connectionKey ); std::string encryptedUserName = cipher2.b64encrypt( userName ); std::string encryptedPassword = cipher2.b64encrypt( password ); std::string encryptedLabel = cipher2.b64encrypt( connLabel );

int connId = -1; if( !getNextSequenceValue( schema, COND_CREDENTIAL_TABLE, connId ) ) throwException( "Can't find "+COND_CREDENTIAL_TABLE+" sequence.","CredentialStore::installAdmin" );

coral::ITableDataEditor& editor1 = schema.tableHandle(COND_CREDENTIAL_TABLE).dataEditor(); coral::AttributeList connectionData; editor1.rowBuffer(connectionData); connectionData[ CONNECTION_ID_COL ].data<int>() = connId; connectionData[ CONNECTION_LABEL_COL ].data<std::string>() = connLabel; connectionData[ USERNAME_COL ].data<std::string>() = encryptedUserName; connectionData[ PASSWORD_COL ].data<std::string>() = encryptedPassword; connectionData[ VERIFICATION_KEY_COL ].data<std::string>() = encryptedLabel; connectionData[ CONNECTION_KEY_COL ].data<std::string>() = encryptedConnectionKey; editor1.insertRow( connectionData );

int authId = -1; if( !getNextSequenceValue( schema, COND_AUTHORIZATION_TABLE, authId ) ) throwException( "Can't find "+COND_AUTHORIZATION_TABLE+" sequence.","CredentialStore::installAdmin" );

coral::ITableDataEditor& editor2 = schema.tableHandle(COND_AUTHORIZATION_TABLE).dataEditor(); coral::AttributeList permissionData; editor2.rowBuffer(permissionData); permissionData[ AUTH_ID_COL ].data<int>() = authId; permissionData[ P_ID_COL ].data<int>() = principalId; permissionData[ ROLE_COL ].data<std::string>() = auth::COND_ADMIN_ROLE; permissionData[ SCHEMA_COL ].data<std::string>() = connectionString; permissionData[ AUTH_KEY_COL ].data<std::string>() = encryptedConnectionKey; permissionData[ C_ID_COL ].data<int>() = connId; editor2.insertRow( permissionData );

session.close(); return true; }

Definition at line 1002 of file CredentialStore.cc.

1004  {
1005  CSScopedSession session(*this);
1006  session.start(false);
1007  coral::ISchema& schema = m_session->nominalSchema();
1008  auto princData = updatePrincipalData(schema, m_principalKey, principalName, authenticationKey);
1009  bool ret = false;
1010  if (setAdmin) {
1011  int princId = princData.first;
1012  std::string princKey = m_principalKey;
1013  std::string connString = m_serviceData->connectionString;
1014  std::vector<Permission> permissions;
1015  if (!selectPermissions(m_key.principalName(), auth::COND_ADMIN_ROLE, connString, permissions)) {
1016  throwException("The current operating user is not admin user on the underlying Credential Store.",
1017  "CredentialStore::updatePrincipal");
1018  }
1019  std::string connLabel = permissions.front().connectionLabel;
1020  CredentialData credsData;
1021  if (!selectConnection(schema, connLabel, credsData)) {
1022  throwException("Credential Store connection has not been defined.", "CredentialStore::updatePrincipal");
1023  }
1024  auth::Cipher adminCipher(m_principalKey);
1025  ret = setPermissionData(schema,
1026  princId,
1027  princKey,
1028  auth::COND_ADMIN_ROLE,
1029  connString,
1030  credsData.id,
1031  adminCipher.b64decrypt(credsData.connectionKey));
1032  }
1033  session.close();
1034  return ret;
1035 }

References cond::auth::Cipher::b64decrypt(), cond::CSScopedSession::close(), cond::auth::COND_ADMIN_ROLE, cond::CredentialData::connectionKey, cond::CredentialData::id, cmsHarvester::permissions, runTheMatrix::ret, cond::selectConnection(), cond::setPermissionData(), cond::CSScopedSession::start(), AlCaHLTBitMon_QueryRunRegistry::string, cond::throwException(), and cond::updatePrincipalData().

Friends And Related Function Documentation

◆ CSScopedSession

friend class CSScopedSession
friend

Definition at line 143 of file CredentialStore.h.

Member Data Documentation

◆ DEFAULT_DATA_SOURCE

const std::string cond::CredentialStore::DEFAULT_DATA_SOURCE
static

Definition at line 80 of file CredentialStore.h.

◆ m_connection

std::shared_ptr<coral::IConnection> cond::CredentialStore::m_connection
private

Definition at line 160 of file CredentialStore.h.

◆ m_key

auth::DecodingKey cond::CredentialStore::m_key
private

Definition at line 170 of file CredentialStore.h.

◆ m_principalId

int cond::CredentialStore::m_principalId
private

Definition at line 163 of file CredentialStore.h.

◆ m_principalKey

std::string cond::CredentialStore::m_principalKey
private

Definition at line 165 of file CredentialStore.h.

◆ m_serviceData

const auth::ServiceCredentials* cond::CredentialStore::m_serviceData
private

Definition at line 168 of file CredentialStore.h.

◆ m_serviceName

std::string cond::CredentialStore::m_serviceName
private

Definition at line 167 of file CredentialStore.h.

◆ m_session

std::shared_ptr<coral::ISession> cond::CredentialStore::m_session
private

Definition at line 161 of file CredentialStore.h.

runTheMatrix.ret
ret
prodAgent to be discontinued
Definition: runTheMatrix.py:355
lumi_dqm_sourceclient-live_cfg.authPath
authPath
Definition: lumi_dqm_sourceclient-live_cfg.py:33
ROLE_COL
static const std::string ROLE_COL("C_ROLE")
cond::CredentialStore::m_session
std::shared_ptr< coral::ISession > m_session
Definition: CredentialStore.h:161
SCHEMA_COL
static const std::string SCHEMA_COL("C_SCHEMA")
cond::auth::COND_ADMIN_ROLE
static constexpr const char *const COND_ADMIN_ROLE
Definition: Auth.h:18
addSequence
void addSequence(coral::ISchema &schema, const std::string &name)
Definition: CredentialStore.cc:728
cond::CredentialStore::m_serviceData
const auth::ServiceCredentials * m_serviceData
Definition: CredentialStore.h:168
cond::auth::DecodingKey::principalName
const std::string & principalName() const
Definition: DecodingKey.h:94
cond::updateConnectionData
std::pair< int, std::string > updateConnectionData(coral::ISchema &schema, const std::string &adminKey, const std::string &connectionLabel, const std::string &userName, const std::string &password, bool forceUpdate)
Definition: CredentialStore.cc:446
cond::updatePrincipalData
std::pair< int, std::string > updatePrincipalData(coral::ISchema &schema, const std::string &authenticationKey, const std::string &principalName, const std::string &adminKey, bool init=false)
Definition: CredentialStore.cc:341
C_ID_COL
static const std::string C_ID_COL("C_ID")
cond::CredentialStore::m_serviceName
std::string m_serviceName
Definition: CredentialStore.h:167
contentValuesFiles.fullPath
fullPath
Definition: contentValuesFiles.py:64
AlCaHLTBitMon_ParallelJobs.p
p
Definition: AlCaHLTBitMon_ParallelJobs.py:153
AUTH_KEY_COL
static const std::string AUTH_KEY_COL("CRED3")
PRINCIPAL_NAME_COL
static const std::string PRINCIPAL_NAME_COL("P_NAME")
cond::auth::ServiceCredentials::connectionString
std::string connectionString
Definition: DecodingKey.h:15
gather_cfg.cout
cout
Definition: gather_cfg.py:144
CONNECTION_LABEL_COL
static const std::string CONNECTION_LABEL_COL("CONN_LABEL")
SiStripCommissioningClient_cfg.conn
conn
Definition: SiStripCommissioningClient_cfg.py:5
VERIFICATION_KEY_COL
static const std::string VERIFICATION_KEY_COL("CRED6")
writedatasetfile.parser
parser
Definition: writedatasetfile.py:7
cond::CredentialStore::m_key
auth::DecodingKey m_key
Definition: CredentialStore.h:170
cond::CredentialStore::openConnection
std::pair< std::string, std::string > openConnection(const std::string &connectionString)
Definition: CredentialStore.cc:536
mps_check.msg
tuple msg
Definition: mps_check.py:285
cond::auth::DecodingKey::init
size_t init(const std::string &keyFileName, const std::string &password, bool readMode=true)
Definition: DecodingKey.cc:111
newFWLiteAna.found
found
Definition: newFWLiteAna.py:118
serviceName
static const std::string serviceName
Definition: CredentialStore.cc:31
ADMIN_KEY_COL
static const std::string ADMIN_KEY_COL("CRED2")
COND_AUTHORIZATION_TABLE
static const std::string COND_AUTHORIZATION_TABLE("COND_AUTHORIZATION")
EcalCondDBWriter_cfi.userName
userName
Definition: EcalCondDBWriter_cfi.py:61
CONNECTION_KEY_COL
static const std::string CONNECTION_KEY_COL("CRED7")
EcalCondDBWriter_cfi.password
password
Definition: EcalCondDBWriter_cfi.py:62
query
Definition: query.py:1
cmsHarvester.permissions
permissions
Definition: cmsHarvester.py:1650
cond::CredentialStore::setUpForService
std::string setUpForService(const std::string &serviceName, const std::string &authPath)
Sets the initialization parameters.
Definition: CredentialStore.cc:684
SEQUENCE_NAME_COL
static const std::string SEQUENCE_NAME_COL("NAME")
USERNAME_COL
static const std::string USERNAME_COL("CRED4")
SEQUENCE_TABLE_NAME
static const std::string SEQUENCE_TABLE_NAME("COND_CREDENTIAL_SEQUENCE")
cond::auth::DecodingKey::FILE_PATH
static constexpr const char *const FILE_PATH
Definition: DecodingKey.h:34
COND_CREDENTIAL_TABLE
static const std::string COND_CREDENTIAL_TABLE("COND_CREDENTIAL")
gen
Definition: PythiaDecays.h:13
PASSWORD_COL
static const std::string PASSWORD_COL("CRED5")
CONNECTION_ID_COL
static const std::string CONNECTION_ID_COL("CONN_ID")
AlCaHLTBitMon_QueryRunRegistry.string
string
Definition: AlCaHLTBitMon_QueryRunRegistry.py:256
cond::selectConnection
bool selectConnection(coral::ISchema &schema, const std::string &connectionLabel, CredentialData &destination)
Definition: CredentialStore.cc:230
cond::auth::COND_KEY
static constexpr const char *const COND_KEY
Definition: Auth.h:22
L1TdeStage2CaloLayer1_cfi.dataSource
dataSource
Definition: L1TdeStage2CaloLayer1_cfi.py:5
coral_bridge::AuthenticationCredentialSet::registerCredentials
void registerCredentials(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:66
cond::CredentialStore::CSScopedSession
friend class CSScopedSession
Definition: CredentialStore.h:143
FrontierConditions_GlobalTag_cff.file
file
Definition: FrontierConditions_GlobalTag_cff.py:13
P_ID_COL
static const std::string P_ID_COL("P_ID")
cond::auth::ServiceCredentials::password
std::string password
Definition: DecodingKey.h:17
cond::CredentialStore::m_principalKey
std::string m_principalKey
Definition: CredentialStore.h:165
VERIFICATION_COL
static const std::string VERIFICATION_COL("CRED0")
cond::CredentialStore::m_principalId
int m_principalId
Definition: CredentialStore.h:163
instance
static PFTauRenderPlugin instance
Definition: PFTauRenderPlugin.cc:70
HLTMuonOfflineAnalyzer_cff.destination
destination
Definition: HLTMuonOfflineAnalyzer_cff.py:50
cond::selectPrincipal
bool selectPrincipal(coral::ISchema &schema, const std::string &principal, PrincipalData &destination)
Definition: CredentialStore.cc:191
cond::auth::DecodingKey::services
const std::map< std::string, ServiceCredentials > & services() const
Definition: DecodingKey.h:102
AUTH_ID_COL
static const std::string AUTH_ID_COL("AUTH_ID")
Exception
Definition: hltDiff.cc:246
PRINCIPAL_KEY_COL
static const std::string PRINCIPAL_KEY_COL("CRED1")
PRINCIPAL_ID_COL
static const std::string PRINCIPAL_ID_COL("P_ID")
relval_steps.gen
def gen(fragment, howMuch)
Production test section ####.
Definition: relval_steps.py:500
data
char data[epos_bytes_allocation]
Definition: EPOS_Wrapper.h:79
cond::setPermissionData
bool setPermissionData(coral::ISchema &schema, int principalId, const std::string &principalKey, const std::string &role, const std::string &connectionString, int connectionId, const std::string &connectionKey)
Definition: CredentialStore.cc:399
cond::CredentialStore::selectPermissions
bool selectPermissions(const std::string &principalName, const std::string &role, const std::string &connectionString, std::vector< Permission > &destination)
Definition: CredentialStore.cc:1352
cond::schemaLabel
std::string schemaLabel(const std::string &serviceName, const std::string &userName)
Definition: CredentialStore.cc:154
cond::CredentialStore::m_connection
std::shared_ptr< coral::IConnection > m_connection
Definition: CredentialStore.h:160
contentValuesFiles.query
query
Definition: contentValuesFiles.py:38
castor_dqm_sourceclient_file_cfg.path
path
Definition: castor_dqm_sourceclient_file_cfg.py:37
genParticles_cff.map
map
Definition: genParticles_cff.py:11
l1RCTOmdsFedVectorProducer_cfi.connectionString
connectionString
Definition: l1RCTOmdsFedVectorProducer_cfi.py:4
SEQUENCE_VALUE_COL
static const std::string SEQUENCE_VALUE_COL("VALUE")
cond::auth::ServiceCredentials::userName
std::string userName
Definition: DecodingKey.h:16
cond::auth::COND_DB_KEY_SIZE
static constexpr unsigned int COND_DB_KEY_SIZE
Definition: Auth.h:25
cond::CredentialStore::openSession
void openSession(const std::string &schemaName, const std::string &userName, const std::string &password, bool readMode)
Definition: CredentialStore.cc:550
MillePedeFileConverter_cfg.e
e
Definition: MillePedeFileConverter_cfg.py:37
cond::throwException
void throwException(const std::string &message, const std::string &methodName)
Definition: Exception.cc:18
COND_AUTHENTICATION_TABLE
static const std::string COND_AUTHENTICATION_TABLE("COND_AUTHENTICATION")
cond::auth::DecodingKey::principalKey
const std::string & principalKey() const
Definition: DecodingKey.h:96
Generated for CMSSW Reference Manual by doxygen 1.8.16