CMS 3D CMS Logo
CredentialStore.cc
Go to the documentation of this file.
1 #include "CondCore/CondDB/interface/CredentialStore.h"
2 #include "CondCore/CondDB/interface/Cipher.h"
3 #include "CondCore/CondDB/interface/Exception.h"
4 #include "CondCore/CondDB/interface/Auth.h"
5 //
6 #include "CoralBase/AttributeList.h"
7 #include "CoralBase/Attribute.h"
8 #include "CoralKernel/Context.h"
9 #include "CoralCommon/URIParser.h"
10 #include "RelationalAccess/AuthenticationCredentials.h"
11 #include "RelationalAccess/IBulkOperation.h"
12 #include "RelationalAccess/IConnection.h"
13 #include "RelationalAccess/ISession.h"
14 #include "RelationalAccess/IRelationalService.h"
15 #include "RelationalAccess/IRelationalDomain.h"
16 #include "RelationalAccess/ITransaction.h"
17 #include "RelationalAccess/ISchema.h"
18 #include "RelationalAccess/ITable.h"
19 #include "RelationalAccess/TableDescription.h"
20 #include "RelationalAccess/ITableDataEditor.h"
21 #include "RelationalAccess/ITablePrivilegeManager.h"
22 #include "RelationalAccess/IQuery.h"
23 #include "RelationalAccess/ICursor.h"
24 //
25 #include "RelationalAccess/AuthenticationCredentials.h"
26 //
27 #include <filesystem>
28 #include <fstream>
29 #include <sstream>
30 
31 static const std::string serviceName = "CondAuthenticationService";
32 
33 coral_bridge::AuthenticationCredentialSet::AuthenticationCredentialSet() : m_data() {}
34 
35 coral_bridge::AuthenticationCredentialSet::~AuthenticationCredentialSet() { reset(); }
36 
37 void coral_bridge::AuthenticationCredentialSet::reset() {
38  for (auto iData = m_data.begin(); iData != m_data.end(); ++iData)
39  delete iData->second;
40  m_data.clear();
41 }
42 
43 void coral_bridge::AuthenticationCredentialSet::registerItem(const std::string& connectionString,
44  const std::string& itemName,
45  const std::string& itemValue) {
46  registerItem(connectionString, cond::auth::COND_DEFAULT_ROLE, itemName, itemValue);
47 }
48 
49 void coral_bridge::AuthenticationCredentialSet::registerItem(const std::string& connectionString,
50  const std::string& role,
51  const std::string& itemName,
52  const std::string& itemValue) {
53  std::pair<std::string, std::string> connKey(connectionString, role);
54  std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::iterator iData =
55  m_data.find(connKey);
56  if (iData == m_data.end()) {
57  iData = m_data.insert(std::make_pair(connKey, new coral::AuthenticationCredentials(serviceName))).first;
58  }
59  iData = m_data.insert(std::make_pair(connKey, new coral::AuthenticationCredentials(serviceName))).first;
60  iData->second->registerItem(itemName, itemValue);
61 }
62 
63 void coral_bridge::AuthenticationCredentialSet::registerCredentials(const std::string& connectionString,
64  const std::string& userName,
65  const std::string& password) {
66  registerCredentials(connectionString, cond::auth::COND_DEFAULT_ROLE, userName, password);
67 }
68 
69 void coral_bridge::AuthenticationCredentialSet::registerCredentials(const std::string& connectionString,
70  const std::string& role,
71  const std::string& userName,
72  const std::string& password) {
73  std::pair<std::string, std::string> connKey(connectionString, role);
74  std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::iterator iData =
75  m_data.find(connKey);
76  if (iData != m_data.end()) {
77  delete iData->second;
78  m_data.erase(connKey);
79  }
80  iData = m_data.insert(std::make_pair(connKey, new coral::AuthenticationCredentials(serviceName))).first;
81  iData->second->registerItem(coral::IAuthenticationCredentials::userItem(), userName);
82  iData->second->registerItem(coral::IAuthenticationCredentials::passwordItem(), password);
83 }
84 
85 void coral_bridge::AuthenticationCredentialSet::import(const AuthenticationCredentialSet& data) {
86  for (std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::const_iterator iData =
87  data.m_data.begin();
88  iData != data.m_data.end();
89  ++iData) {
90  registerCredentials(iData->first.first,
91  iData->first.second,
92  iData->second->valueForItem(coral::IAuthenticationCredentials::userItem()),
93  iData->second->valueForItem(coral::IAuthenticationCredentials::passwordItem()));
94  }
95 }
96 
97 const coral::IAuthenticationCredentials* coral_bridge::AuthenticationCredentialSet::get(
98  const std::string& connectionString) const {
99  return get(connectionString, cond::auth::COND_DEFAULT_ROLE);
100 }
101 
102 const coral::IAuthenticationCredentials* coral_bridge::AuthenticationCredentialSet::get(
103  const std::string& connectionString, const std::string& role) const {
104  const coral::IAuthenticationCredentials* ret = nullptr;
105  std::pair<std::string, std::string> connKey(connectionString, role);
106  std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::const_iterator iData =
107  m_data.find(connKey);
108  if (iData != m_data.end()) {
109  ret = iData->second;
110  }
111  return ret;
112 }
113 
114 const std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>&
115 coral_bridge::AuthenticationCredentialSet::data() const {
116  return m_data;
117 }
118 
119 static const std::string TABLE_PREFIX("DB_");
120 static const std::string LEGACY_TABLE_PREFIX("COND_");
121 static const std::string SEQUENCE_TABLE("CREDENTIAL_SEQUENCE");
122 static const std::string SEQUENCE_NAME_COL("NAME");
123 static const std::string SEQUENCE_VALUE_COL("VALUE");
124 
125 static const std::string AUTHENTICATION_TABLE("AUTHENTICATION");
126 static const std::string PRINCIPAL_ID_COL("P_ID");
127 static const std::string PRINCIPAL_NAME_COL("P_NAME");
128 static const std::string VERIFICATION_COL("CRED0");
129 static const std::string PRINCIPAL_KEY_COL("CRED1");
130 static const std::string ADMIN_KEY_COL("CRED2");
131 
132 static const std::string AUTHORIZATION_TABLE("AUTHORIZATION");
133 static const std::string AUTH_ID_COL("AUTH_ID");
134 static const std::string P_ID_COL("P_ID");
135 static const std::string ROLE_COL("C_ROLE");
136 static const std::string SCHEMA_COL("C_SCHEMA");
137 static const std::string AUTH_KEY_COL("CRED3");
138 static const std::string C_ID_COL("C_ID");
139 
140 static const std::string CREDENTIAL_TABLE("CREDENTIAL");
141 static const std::string CONNECTION_ID_COL("CONN_ID");
142 static const std::string CONNECTION_LABEL_COL("CONN_LABEL");
143 static const std::string USERNAME_COL("CRED4");
144 static const std::string PASSWORD_COL("CRED5");
145 static const std::string VERIFICATION_KEY_COL("CRED6");
146 static const std::string CONNECTION_KEY_COL("CRED7");
147 
148 const std::string DEFAULT_DATA_SOURCE("Cond_Default_Authentication");
149 
150 std::string tname(const std::string& tableName, const std::string& schemaVersion) {
151  std::string prefix(TABLE_PREFIX);
152  if (schemaVersion.empty())
153  prefix = LEGACY_TABLE_PREFIX;
154  return prefix + tableName;
155 }
156 
157 std::string to_lower(const std::string& s) {
158  std::string str(s);
159  for (auto& c : str)
160  c = tolower(c);
161  return str;
162 }
163 
164 // implementation functions and helpers
165 namespace cond {
166 
167  std::string schemaLabel(const std::string& serviceName, const std::string& userName) {
168  std::string ret = userName;
169  if (!serviceName.empty()) {
170  ret += "@" + serviceName;
171  ret = to_lower(ret);
172  }
173  return ret;
174  }
175 
176  std::string schemaLabelForCredentialStore(const std::string& connectionString) {
177  coral::URIParser parser;
178  parser.setURI(connectionString);
179  std::string serviceName = parser.hostName();
180  std::string schemaName = parser.databaseOrSchemaName();
181  return schemaLabel(serviceName, schemaName);
182  }
183 
184  class CSScopedSession {
185  public:
186  CSScopedSession(CredentialStore& store) : m_store(store) {}
187  ~CSScopedSession() { m_store.closeSession(false); }
188  void startSuper(const std::string& connectionString, const std::string& userName, const std::string& password) {
189  m_store.startSuperSession(connectionString, userName, password);
190  }
191  void start(bool readOnly = true) { m_store.startSession(readOnly); }
192  void close() { m_store.closeSession(); }
193 
194  private:
195  CredentialStore& m_store;
196  };
197 
198  struct PrincipalData {
199  int id;
200  std::string verifKey;
201  std::string principalKey;
202  std::string adminKey;
203  PrincipalData() : id(-1), verifKey(""), principalKey(""), adminKey("") {}
204  };
205  bool selectPrincipal(const std::string& schemaVersion,
206  coral::ISchema& schema,
207  const std::string& principal,
208  PrincipalData& destination) {
209  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(AUTHENTICATION_TABLE, schemaVersion)).newQuery());
210  coral::AttributeList readBuff;
211  readBuff.extend<int>(PRINCIPAL_ID_COL);
212  readBuff.extend<std::string>(VERIFICATION_COL);
213  readBuff.extend<std::string>(PRINCIPAL_KEY_COL);
214  readBuff.extend<std::string>(ADMIN_KEY_COL);
215  coral::AttributeList whereData;
216  whereData.extend<std::string>(PRINCIPAL_NAME_COL);
217  whereData[PRINCIPAL_NAME_COL].data<std::string>() = principal;
218  std::string whereClause = PRINCIPAL_NAME_COL + " = :" + PRINCIPAL_NAME_COL;
219  query->defineOutput(readBuff);
220  query->addToOutputList(PRINCIPAL_ID_COL);
221  query->addToOutputList(VERIFICATION_COL);
222  query->addToOutputList(PRINCIPAL_KEY_COL);
223  query->addToOutputList(ADMIN_KEY_COL);
224  query->setCondition(whereClause, whereData);
225  coral::ICursor& cursor = query->execute();
226  bool found = false;
227  if (cursor.next()) {
228  found = true;
229  const coral::AttributeList& row = cursor.currentRow();
230  destination.id = row[PRINCIPAL_ID_COL].data<int>();
231  destination.verifKey = row[VERIFICATION_COL].data<std::string>();
232  destination.principalKey = row[PRINCIPAL_KEY_COL].data<std::string>();
233  destination.adminKey = row[ADMIN_KEY_COL].data<std::string>();
234  }
235  return found;
236  }
237 
238  struct CredentialData {
239  int id;
240  std::string userName;
241  std::string password;
242  std::string connectionKey;
243  std::string verificationKey;
244  CredentialData() : id(-1), userName(""), password(""), connectionKey("") {}
245  };
246 
247  bool selectConnection(const std::string& schemaVersion,
248  coral::ISchema& schema,
249  const std::string& connectionLabel,
250  CredentialData& destination) {
251  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(CREDENTIAL_TABLE, schemaVersion)).newQuery());
252  coral::AttributeList readBuff;
253  readBuff.extend<int>(CONNECTION_ID_COL);
254  readBuff.extend<std::string>(USERNAME_COL);
255  readBuff.extend<std::string>(PASSWORD_COL);
256  readBuff.extend<std::string>(VERIFICATION_KEY_COL);
257  readBuff.extend<std::string>(CONNECTION_KEY_COL);
258  coral::AttributeList whereData;
259  whereData.extend<std::string>(CONNECTION_LABEL_COL);
260  whereData[CONNECTION_LABEL_COL].data<std::string>() = connectionLabel;
261  std::string whereClause = CONNECTION_LABEL_COL + " = :" + CONNECTION_LABEL_COL;
262  query->defineOutput(readBuff);
263  query->addToOutputList(CONNECTION_ID_COL);
264  query->addToOutputList(USERNAME_COL);
265  query->addToOutputList(PASSWORD_COL);
266  query->addToOutputList(VERIFICATION_KEY_COL);
267  query->addToOutputList(CONNECTION_KEY_COL);
268  query->setCondition(whereClause, whereData);
269  coral::ICursor& cursor = query->execute();
270  bool found = false;
271  if (cursor.next()) {
272  const coral::AttributeList& row = cursor.currentRow();
273  destination.id = row[CONNECTION_ID_COL].data<int>();
274  destination.userName = row[USERNAME_COL].data<std::string>();
275  destination.password = row[PASSWORD_COL].data<std::string>();
276  destination.verificationKey = row[VERIFICATION_KEY_COL].data<std::string>();
277  destination.connectionKey = row[CONNECTION_KEY_COL].data<std::string>();
278  found = true;
279  }
280  return found;
281  }
282 
283  struct AuthorizationData {
284  int id;
285  int connectionId;
286  std::string key;
287  AuthorizationData() : id(-1), connectionId(-1), key("") {}
288  };
289 
290  bool selectAuthorization(const std::string& schemaVersion,
291  coral::ISchema& schema,
292  int principalId,
293  const std::string& role,
294  const std::string& connectionString,
295  AuthorizationData& destination) {
296  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(AUTHORIZATION_TABLE, schemaVersion)).newQuery());
297  coral::AttributeList readBuff;
298  readBuff.extend<int>(AUTH_ID_COL);
299  readBuff.extend<int>(C_ID_COL);
300  readBuff.extend<std::string>(AUTH_KEY_COL);
301  coral::AttributeList whereData;
302  whereData.extend<int>(P_ID_COL);
303  whereData.extend<std::string>(ROLE_COL);
304  whereData.extend<std::string>(SCHEMA_COL);
305  whereData[P_ID_COL].data<int>() = principalId;
306  whereData[ROLE_COL].data<std::string>() = role;
307  whereData[SCHEMA_COL].data<std::string>() = connectionString;
308  std::stringstream whereClause;
309  whereClause << P_ID_COL << " = :" << P_ID_COL;
310  whereClause << " AND " << ROLE_COL << " = :" << ROLE_COL;
311  whereClause << " AND " << SCHEMA_COL << " = :" << SCHEMA_COL;
312  query->defineOutput(readBuff);
313  query->addToOutputList(AUTH_ID_COL);
314  query->addToOutputList(C_ID_COL);
315  query->addToOutputList(AUTH_KEY_COL);
316  query->setCondition(whereClause.str(), whereData);
317  coral::ICursor& cursor = query->execute();
318  bool found = false;
319  if (cursor.next()) {
320  const coral::AttributeList& row = cursor.currentRow();
321  destination.id = row[AUTH_ID_COL].data<int>();
322  destination.connectionId = row[C_ID_COL].data<int>();
323  destination.key = row[AUTH_KEY_COL].data<std::string>();
324  found = true;
325  }
326  return found;
327  }
328 
329  bool getNextSequenceValue(const std::string& schemaVersion,
330  coral::ISchema& schema,
331  const std::string& sequenceName,
332  int& value) {
333  bool ret = false;
334  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(SEQUENCE_TABLE, schemaVersion)).newQuery());
335  query->limitReturnedRows(1, 0);
336  query->addToOutputList(SEQUENCE_VALUE_COL);
337  query->defineOutputType(SEQUENCE_VALUE_COL, coral::AttributeSpecification::typeNameForType<int>());
338  query->setForUpdate();
339  std::string whereClause(SEQUENCE_NAME_COL + " = :" + SEQUENCE_NAME_COL);
340  coral::AttributeList rowData;
341  rowData.extend<std::string>(SEQUENCE_NAME_COL);
342  rowData.begin()->data<std::string>() = sequenceName;
343  query->setCondition(whereClause, rowData);
344  coral::ICursor& cursor = query->execute();
345  if (cursor.next()) {
346  value = cursor.currentRow().begin()->data<int>() + 1;
347  ret = true;
348  } else {
349  return false;
350  }
351  // update...
352  coral::AttributeList updateData;
353  updateData.extend<std::string>(SEQUENCE_NAME_COL);
354  updateData.extend<int>(SEQUENCE_VALUE_COL);
355  std::string setClause(SEQUENCE_VALUE_COL + " = :" + SEQUENCE_VALUE_COL);
356  std::string whClause(SEQUENCE_NAME_COL + " = :" + SEQUENCE_NAME_COL);
357  coral::AttributeList::iterator iAttribute = updateData.begin();
358  iAttribute->data<std::string>() = sequenceName;
359  ++iAttribute;
360  iAttribute->data<int>() = value;
361  schema.tableHandle(tname(SEQUENCE_TABLE, schemaVersion)).dataEditor().updateRows(setClause, whClause, updateData);
362  return ret;
363  }
364 
365  std::pair<int, std::string> updatePrincipalData(const std::string& schemaVersion,
366  coral::ISchema& schema,
367  const std::string& authenticationKey,
368  const std::string& principalName,
369  const std::string& adminKey,
370  bool init ,
371  std::stringstream& log) {
372  PrincipalData princData;
373  bool found = selectPrincipal(schemaVersion, schema, principalName, princData);
374 
375  auth::Cipher cipher0(authenticationKey);
376  auth::Cipher cipher1(adminKey);
377 
378  std::string verifStr = cipher0.b64encrypt(principalName);
379  std::string principalKey("");
380  int principalId = princData.id;
381 
382  std::string authentication_table_name = tname(AUTHENTICATION_TABLE, schemaVersion);
383 
384  coral::ITableDataEditor& editor = schema.tableHandle(authentication_table_name).dataEditor();
385  if (found) {
386  log << "Updating existing principal " << principalName << " (id: " << principalId << " )" << std::endl;
387  principalKey = cipher1.b64decrypt(princData.adminKey);
388  coral::AttributeList updateData;
389  updateData.extend<int>(PRINCIPAL_ID_COL);
390  updateData.extend<std::string>(VERIFICATION_COL);
391  updateData.extend<std::string>(PRINCIPAL_KEY_COL);
392  updateData.extend<std::string>(ADMIN_KEY_COL);
393  updateData[PRINCIPAL_ID_COL].data<int>() = principalId;
394  updateData[VERIFICATION_COL].data<std::string>() = verifStr;
395  updateData[PRINCIPAL_KEY_COL].data<std::string>() = cipher0.b64encrypt(principalKey);
396  updateData[ADMIN_KEY_COL].data<std::string>() = cipher1.b64encrypt(principalKey);
397  std::stringstream setClause;
398  setClause << VERIFICATION_COL << " = :" << VERIFICATION_COL << ", ";
399  setClause << PRINCIPAL_KEY_COL << " = :" << PRINCIPAL_KEY_COL << ", ";
400  setClause << ADMIN_KEY_COL << " = :" << ADMIN_KEY_COL;
401  std::string whereClause = PRINCIPAL_ID_COL + " = :" + PRINCIPAL_ID_COL;
402  editor.updateRows(setClause.str(), whereClause, updateData);
403  } else {
404  if (init) {
405  principalKey = adminKey;
406  } else {
407  auth::KeyGenerator gen;
408  principalKey = gen.make(auth::COND_DB_KEY_SIZE);
409  }
410  coral::ITableDataEditor& editor0 = schema.tableHandle(authentication_table_name).dataEditor();
411 
412  if (!getNextSequenceValue(schemaVersion, schema, authentication_table_name, principalId))
413  throwException("Can't find " + authentication_table_name + " sequence.", "CredentialStore::updatePrincipal");
414  log << "Creating new principal " << principalName << " (id: " << principalId << " )" << std::endl;
415  coral::AttributeList authData;
416  editor0.rowBuffer(authData);
417  authData[PRINCIPAL_ID_COL].data<int>() = principalId;
418  authData[PRINCIPAL_NAME_COL].data<std::string>() = principalName;
419  authData[VERIFICATION_COL].data<std::string>() = verifStr;
420  authData[PRINCIPAL_KEY_COL].data<std::string>() = cipher0.b64encrypt(principalKey);
421  authData[ADMIN_KEY_COL].data<std::string>() = cipher1.b64encrypt(principalKey);
422  editor0.insertRow(authData);
423  }
424 
425  return std::make_pair(principalId, principalKey);
426  }
427 
428  bool setPermissionData(const std::string& schemaVersion,
429  coral::ISchema& schema,
430  int principalId,
431  const std::string& principalKey,
432  const std::string& role,
433  const std::string& connectionString,
434  int connectionId,
435  const std::string& connectionKey,
436  std::stringstream& log) {
437  if (cond::auth::ROLES.find(role) == cond::auth::ROLES.end()) {
438  throwException(std::string("Role ") + role + " does not exists.", "CredentialStore::setPermission");
439  }
440  auth::Cipher cipher(principalKey);
441  std::string encryptedConnectionKey = cipher.b64encrypt(connectionKey);
442  AuthorizationData authData;
443  bool found = selectAuthorization(schemaVersion, schema, principalId, role, connectionString, authData);
444 
445  std::string authorization_table_name = tname(AUTHORIZATION_TABLE, schemaVersion);
446  coral::ITableDataEditor& editor = schema.tableHandle(authorization_table_name).dataEditor();
447  if (found) {
448  log << "Updating permission for principal id " << principalId << " to access resource " << connectionString
449  << " with role " << role << std::endl;
450  coral::AttributeList updateData;
451  updateData.extend<int>(AUTH_ID_COL);
452  updateData.extend<int>(C_ID_COL);
453  updateData.extend<std::string>(AUTH_KEY_COL);
454  updateData[AUTH_ID_COL].data<int>() = authData.id;
455  updateData[C_ID_COL].data<int>() = connectionId;
456  updateData[AUTH_KEY_COL].data<std::string>() = encryptedConnectionKey;
457  std::string setCl = C_ID_COL + " = :" + C_ID_COL + ", " + AUTH_KEY_COL + " = :" + AUTH_KEY_COL;
458  std::string whereCl = AUTH_ID_COL + " = :" + AUTH_ID_COL;
459  editor.updateRows(setCl, whereCl, updateData);
460  } else {
461  int next = -1;
462  if (!getNextSequenceValue(schemaVersion, schema, authorization_table_name, next))
463  throwException("Can't find " + authorization_table_name + " sequence.", "CredentialStore::setPermission");
464  log << "Setting permission for principal id " << principalId << " to access resource " << connectionString
465  << " with role " << role << std::endl;
466  coral::AttributeList insertData;
467  insertData.extend<int>(AUTH_ID_COL);
468  insertData.extend<int>(P_ID_COL);
469  insertData.extend<std::string>(ROLE_COL);
470  insertData.extend<std::string>(SCHEMA_COL);
471  insertData.extend<std::string>(AUTH_KEY_COL);
472  insertData.extend<int>(C_ID_COL);
473  insertData[AUTH_ID_COL].data<int>() = next;
474  insertData[P_ID_COL].data<int>() = principalId;
475  insertData[ROLE_COL].data<std::string>() = role;
476  insertData[SCHEMA_COL].data<std::string>() = connectionString;
477  insertData[AUTH_KEY_COL].data<std::string>() = encryptedConnectionKey;
478  insertData[C_ID_COL].data<int>() = connectionId;
479  editor.insertRow(insertData);
480  }
481  return true;
482  }
483 
484  std::pair<int, std::string> updateConnectionData(const std::string& schemaVersion,
485  coral::ISchema& schema,
486  const std::string& adminKey,
487  const std::string& connectionLabel,
488  const std::string& userName,
489  const std::string& password,
490  bool forceUpdate,
491  std::stringstream& log) {
492  CredentialData credsData;
493  bool found = selectConnection(schemaVersion, schema, connectionLabel, credsData);
494  int connId = credsData.id;
495 
496  auth::Cipher adminCipher(adminKey);
497  std::string connectionKey("");
498  std::string credential_table_name = tname(CREDENTIAL_TABLE, schemaVersion);
499  coral::ITableDataEditor& editor = schema.tableHandle(credential_table_name).dataEditor();
500  if (found) {
501  connectionKey = adminCipher.b64decrypt(credsData.connectionKey);
502  auth::Cipher cipher(connectionKey);
503  std::string verificationKey = cipher.b64decrypt(credsData.verificationKey);
504  if (verificationKey != connectionLabel) {
505  throwException("Decoding of connection key failed.", "CredentialStore::updateConnection");
506  }
507  if (forceUpdate) {
508  std::string encryptedUserName = cipher.b64encrypt(userName);
509  std::string encryptedPassword = cipher.b64encrypt(password);
510  log << "Forcing update of connection " << connectionLabel << std::endl;
511  coral::AttributeList updateData;
512  updateData.extend<int>(CONNECTION_ID_COL);
513  updateData.extend<std::string>(USERNAME_COL);
514  updateData.extend<std::string>(PASSWORD_COL);
515  updateData[CONNECTION_ID_COL].data<int>() = connId;
516  updateData[USERNAME_COL].data<std::string>() = encryptedUserName;
517  updateData[PASSWORD_COL].data<std::string>() = encryptedPassword;
518  std::stringstream setCl;
519  setCl << USERNAME_COL << " = :" << USERNAME_COL;
520  setCl << ", " << PASSWORD_COL << " = :" << PASSWORD_COL;
521  std::string whereCl = CONNECTION_ID_COL + " = :" + CONNECTION_ID_COL;
522  editor.updateRows(setCl.str(), whereCl, updateData);
523  }
524  } else {
525  auth::KeyGenerator gen;
526  connectionKey = gen.make(auth::COND_DB_KEY_SIZE);
527  auth::Cipher cipher(connectionKey);
528  std::string encryptedUserName = cipher.b64encrypt(userName);
529  std::string encryptedPassword = cipher.b64encrypt(password);
530  std::string encryptedLabel = cipher.b64encrypt(connectionLabel);
531 
532  if (!getNextSequenceValue(schemaVersion, schema, credential_table_name, connId))
533  throwException("Can't find " + credential_table_name + " sequence.", "CredentialStore::updateConnection");
534  log << "Creating new connection " << connectionLabel << std::endl;
535  coral::AttributeList insertData;
536  insertData.extend<int>(CONNECTION_ID_COL);
537  insertData.extend<std::string>(CONNECTION_LABEL_COL);
538  insertData.extend<std::string>(USERNAME_COL);
539  insertData.extend<std::string>(PASSWORD_COL);
540  insertData.extend<std::string>(VERIFICATION_KEY_COL);
541  insertData.extend<std::string>(CONNECTION_KEY_COL);
542  insertData[CONNECTION_ID_COL].data<int>() = connId;
543  insertData[CONNECTION_LABEL_COL].data<std::string>() = connectionLabel;
544  insertData[USERNAME_COL].data<std::string>() = encryptedUserName;
545  insertData[PASSWORD_COL].data<std::string>() = encryptedPassword;
546  insertData[VERIFICATION_KEY_COL].data<std::string>() = encryptedLabel;
547  insertData[CONNECTION_KEY_COL].data<std::string>() = adminCipher.b64encrypt(connectionKey);
548  ;
549  editor.insertRow(insertData);
550  }
551  return std::make_pair(connId, connectionKey);
552  }
553 
554 } // namespace cond
555 
556 // class private methods
557 void cond::CredentialStore::closeSession(bool commit) {
558  if (m_session.get()) {
559  if (m_session->transaction().isActive()) {
560  if (commit) {
561  m_session->transaction().commit();
562  } else {
563  m_session->transaction().rollback();
564  }
565  }
566  m_session->endUserSession();
567  }
568  m_session.reset();
569  if (m_connection.get()) {
570  m_connection->disconnect();
571  }
572  m_connection.reset();
573  m_log << "Session has been closed." << std::endl;
574 }
575 
576 std::pair<std::string, std::string> cond::CredentialStore::openConnection(const std::string& connectionString) {
577  coral::IHandle<coral::IRelationalService> relationalService =
578  coral::Context::instance().query<coral::IRelationalService>();
579  if (!relationalService.isValid()) {
580  coral::Context::instance().loadComponent("CORAL/Services/RelationalService");
581  relationalService = coral::Context::instance().query<coral::IRelationalService>();
582  }
583  coral::IRelationalDomain& domain = relationalService->domainForConnection(connectionString);
584  std::pair<std::string, std::string> connTokens = domain.decodeUserConnectionString(connectionString);
585  m_connection.reset(domain.newConnection(connTokens.first));
586  m_connection->connect();
587  return connTokens;
588 }
589 
590 void cond::CredentialStore::openSession(const std::string& schemaName,
591  const std::string& userName,
592  const std::string& password,
593  bool readMode) {
594  coral::AccessMode accessMode = coral::ReadOnly;
595  if (!readMode)
596  accessMode = coral::Update;
597  m_session.reset(m_connection->newSession(schemaName, accessMode));
598  m_session->startUserSession(userName, password);
599  // open read-only transaction
600  m_session->transaction().start(readMode);
601  m_log << "New session opened." << std::endl;
602 }
603 
604 void cond::CredentialStore::startSuperSession(const std::string& connectionString,
605  const std::string& userName,
606  const std::string& password) {
607  std::pair<std::string, std::string> connTokens = openConnection(connectionString);
608  openSession(connTokens.second, userName, password, false);
609 }
610 
611 // open session on the storage
612 void cond::CredentialStore::startSession(bool readMode) {
613  if (!m_serviceData) {
614  throwException("The credential store has not been initialized.", "cond::CredentialStore::openConnection");
615  }
616  const std::string& storeConnectionString = m_serviceData->connectionString;
617 
618  std::pair<std::string, std::string> connTokens = openConnection(storeConnectionString);
619 
620  const std::string& userName = m_serviceData->userName;
621  const std::string& password = m_serviceData->password;
622 
623  openSession(connTokens.second, userName, password, true);
624 
625  coral::ISchema& schema = m_session->nominalSchema();
626  const std::string& schemaVersion = m_key.version();
627  if (!schema.existsTable(tname(AUTHENTICATION_TABLE, schemaVersion)) ||
628  !schema.existsTable(tname(AUTHORIZATION_TABLE, schemaVersion)) ||
629  !schema.existsTable(tname(CREDENTIAL_TABLE, schemaVersion))) {
630  throwException("Credential database does not exists in \"" + storeConnectionString + "\"",
631  "CredentialStore::startSession");
632  }
633 
634  const std::string& principalName = m_key.principalName();
635  // now authenticate...
636  PrincipalData princData;
637  if (!selectPrincipal(schemaVersion, m_session->nominalSchema(), principalName, princData)) {
638  throwException("Invalid credentials provided.(0)", "CredentialStore::startSession");
639  }
640  auth::Cipher cipher0(m_key.principalKey());
641  std::string verifStr = cipher0.b64decrypt(princData.verifKey);
642  if (verifStr != principalName) {
643  throwException("Invalid credentials provided (1)", "CredentialStore::startSession");
644  }
645  // ok, authenticated!
646  m_principalId = princData.id;
647  m_principalKey = cipher0.b64decrypt(princData.principalKey);
648 
649  if (!readMode) {
650  auth::Cipher cipher0(m_principalKey);
651  std::string adminKey = cipher0.b64decrypt(princData.adminKey);
652  if (adminKey != m_principalKey) {
653  // not admin user!
654  throwException("Provided credentials does not allow admin operation.", "CredentialStore::openSession");
655  }
656 
657  // first find the credentials for WRITING in the security tables
658  std::unique_ptr<coral::IQuery> query(schema.newQuery());
659  query->addToTableList(tname(AUTHORIZATION_TABLE, schemaVersion), "AUTHO");
660  query->addToTableList(tname(CREDENTIAL_TABLE, schemaVersion), "CREDS");
661  coral::AttributeList readBuff;
662  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
663  readBuff.extend<std::string>("CREDS." + CONNECTION_KEY_COL);
664  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
665  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
666  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
667  coral::AttributeList whereData;
668  whereData.extend<int>(P_ID_COL);
669  whereData.extend<std::string>(ROLE_COL);
670  whereData.extend<std::string>(SCHEMA_COL);
671  whereData[P_ID_COL].data<int>() = m_principalId;
672  whereData[ROLE_COL].data<std::string>() = auth::COND_ADMIN_ROLE;
673  whereData[SCHEMA_COL].data<std::string>() = storeConnectionString;
674  std::stringstream whereClause;
675  whereClause << "AUTHO." << C_ID_COL << " = CREDS." << CONNECTION_ID_COL;
676  whereClause << " AND AUTHO." << P_ID_COL << " = :" << P_ID_COL;
677  whereClause << " AND AUTHO." << ROLE_COL << " = :" << ROLE_COL;
678  whereClause << " AND AUTHO." << SCHEMA_COL << " = :" << SCHEMA_COL;
679  query->defineOutput(readBuff);
680  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
681  query->addToOutputList("CREDS." + CONNECTION_KEY_COL);
682  query->addToOutputList("CREDS." + USERNAME_COL);
683  query->addToOutputList("CREDS." + PASSWORD_COL);
684  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
685  query->setCondition(whereClause.str(), whereData);
686  coral::ICursor& cursor = query->execute();
687  bool found = false;
688  std::string writeUserName("");
689  std::string writePassword("");
690  if (cursor.next()) {
691  const coral::AttributeList& row = cursor.currentRow();
692  const std::string& connLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
693  const std::string& encryptedConnectionKey = row["CREDS." + CONNECTION_KEY_COL].data<std::string>();
694  std::string connectionKey = cipher0.b64decrypt(encryptedConnectionKey);
695  auth::Cipher cipher1(connectionKey);
696  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
697  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
698  std::string verificationKey = cipher1.b64decrypt(row["CREDS." + VERIFICATION_KEY_COL].data<std::string>());
699  if (verificationKey != connLabel) {
700  throwException("Could not decrypt credentials.Provided key is invalid.", "CredentialStore::startSession");
701  }
702  writeUserName = cipher1.b64decrypt(encryptedUserName);
703  writePassword = cipher1.b64decrypt(encryptedPassword);
704  found = true;
705  }
706  if (!found) {
707  throwException("Provided credentials are invalid for write access.", "CredentialStore::openSession");
708  }
709  m_session->transaction().commit();
710  m_session->endUserSession();
711  openSession(connTokens.second, writeUserName, writePassword, false);
712  }
713 }
714 
715 // class public methods
716 cond::CredentialStore::CredentialStore()
717  : m_connection(),
718  m_session(),
719  m_principalId(-1),
720  m_principalKey(""),
721  m_serviceName(""),
722  m_serviceData(nullptr),
723  m_key(),
724  m_log() {}
725 
726 cond::CredentialStore::~CredentialStore() {}
727 
728 std::string cond::CredentialStore::setUpForService(const std::string& serviceName, const std::string& authPath) {
729  if (serviceName.empty()) {
730  throwException("Service name has not been provided.", "cond::CredentialStore::setUpConnection");
731  }
732  m_serviceName.clear();
733  m_serviceData = nullptr;
734 
735  if (authPath.empty()) {
736  throwException("The authentication Path has not been provided.", "cond::CredentialStore::setUpForService");
737  }
738  std::filesystem::path fullPath(authPath);
739  if (!std::filesystem::exists(authPath) || !std::filesystem::is_directory(authPath)) {
740  throwException("Authentication Path is invalid.", "cond::CredentialStore::setUpForService");
741  }
742  std::filesystem::path file(auth::DecodingKey::FILE_PATH);
743  fullPath /= file;
744 
745  m_key.init(fullPath.string(), auth::COND_KEY);
746 
747  std::map<std::string, auth::ServiceCredentials>::const_iterator iK = m_key.services().find(serviceName);
748  if (iK == m_key.services().end()) {
749  std::string msg("");
750  msg += "Service \"" + serviceName + "\" can't be open with the current key.";
751  throwException(msg, "cond::CredentialStore::setUpConnection");
752  }
753  m_serviceName = serviceName;
754  m_serviceData = &iK->second;
755  m_log << "Opening Credential Store for service " << m_serviceName << " on " << m_serviceData->connectionString
756  << std::endl;
757  return m_serviceData->connectionString;
758 }
759 
760 std::string cond::CredentialStore::setUpForConnectionString(const std::string& connectionString,
761  const std::string& authPath) {
762  coral::IHandle<coral::IRelationalService> relationalService =
763  coral::Context::instance().query<coral::IRelationalService>();
764  if (!relationalService.isValid()) {
765  coral::Context::instance().loadComponent("CORAL/Services/RelationalService");
766  relationalService = coral::Context::instance().query<coral::IRelationalService>();
767  }
768  coral::IRelationalDomain& domain = relationalService->domainForConnection(connectionString);
769  std::pair<std::string, std::string> connTokens = domain.decodeUserConnectionString(connectionString);
770  std::string& serviceName = connTokens.first;
771  return setUpForService(serviceName, authPath);
772 }
773 
774 void addSequence(const std::string& schemaVersion, coral::ISchema& schema, const std::string& name) {
775  // Create the entry in the table
776  coral::AttributeList insertData;
777  insertData.extend<std::string>(SEQUENCE_NAME_COL);
778  insertData.extend<int>(SEQUENCE_VALUE_COL);
779  coral::AttributeList::iterator iAttribute = insertData.begin();
780  iAttribute->data<std::string>() = name;
781  ++iAttribute;
782  iAttribute->data<int>() = -1;
783  schema.tableHandle(tname(SEQUENCE_TABLE, schemaVersion)).dataEditor().insertRow(insertData);
784 }
785 
786 bool cond::CredentialStore::createSchema(const std::string& connectionString,
787  const std::string& userName,
788  const std::string& password) {
789  CSScopedSession session(*this);
790  session.startSuper(connectionString, userName, password);
791 
792  coral::ISchema& schema = m_session->nominalSchema();
793  std::string authentication_table_name = tname(AUTHENTICATION_TABLE, m_key.version());
794  if (schema.existsTable(authentication_table_name)) {
795  throwException("Credential database, already exists.", "CredentialStore::create");
796  }
797 
798  m_log << "Creating sequence table." << std::endl;
799  std::string sequence_table_name = tname(SEQUENCE_TABLE, m_key.version());
800  coral::TableDescription dseq;
801  dseq.setName(sequence_table_name);
802  dseq.insertColumn(SEQUENCE_NAME_COL, coral::AttributeSpecification::typeNameForType<std::string>());
803  dseq.setNotNullConstraint(SEQUENCE_NAME_COL);
804  dseq.insertColumn(SEQUENCE_VALUE_COL, coral::AttributeSpecification::typeNameForType<int>());
805  dseq.setNotNullConstraint(SEQUENCE_VALUE_COL);
806  dseq.setPrimaryKey(std::vector<std::string>(1, SEQUENCE_NAME_COL));
807  schema.createTable(dseq);
808 
809  int columnSize = 2000;
810 
811  m_log << "Creating authentication table." << std::endl;
812  // authentication table
813  addSequence(m_key.version(), schema, authentication_table_name);
814  coral::TableDescription descr0;
815  descr0.setName(authentication_table_name);
816  descr0.insertColumn(PRINCIPAL_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
817  descr0.insertColumn(
818  PRINCIPAL_NAME_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
819  descr0.insertColumn(
820  VERIFICATION_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
821  descr0.insertColumn(
822  PRINCIPAL_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
823  descr0.insertColumn(ADMIN_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
824  descr0.setNotNullConstraint(PRINCIPAL_ID_COL);
825  descr0.setNotNullConstraint(PRINCIPAL_NAME_COL);
826  descr0.setNotNullConstraint(VERIFICATION_COL);
827  descr0.setNotNullConstraint(PRINCIPAL_KEY_COL);
828  descr0.setNotNullConstraint(ADMIN_KEY_COL);
829  std::vector<std::string> columnsUnique;
830  columnsUnique.push_back(PRINCIPAL_NAME_COL);
831  descr0.setUniqueConstraint(columnsUnique);
832  std::vector<std::string> columnsForIndex;
833  columnsForIndex.push_back(PRINCIPAL_ID_COL);
834  descr0.setPrimaryKey(columnsForIndex);
835  schema.createTable(descr0);
836 
837  m_log << "Creating authorization table." << std::endl;
838  std::string authorization_table_name = tname(AUTHORIZATION_TABLE, m_key.version());
839  // authorization table
840  addSequence(m_key.version(), schema, authorization_table_name);
841  coral::TableDescription descr1;
842  descr1.setName(authorization_table_name);
843  descr1.insertColumn(AUTH_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
844  descr1.insertColumn(P_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
845  descr1.insertColumn(ROLE_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
846  descr1.insertColumn(SCHEMA_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
847  descr1.insertColumn(AUTH_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
848  descr1.insertColumn(C_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
849  descr1.setNotNullConstraint(AUTH_ID_COL);
850  descr1.setNotNullConstraint(P_ID_COL);
851  descr1.setNotNullConstraint(ROLE_COL);
852  descr1.setNotNullConstraint(SCHEMA_COL);
853  descr1.setNotNullConstraint(AUTH_KEY_COL);
854  descr1.setNotNullConstraint(C_ID_COL);
855  columnsUnique.clear();
856  columnsUnique.push_back(P_ID_COL);
857  columnsUnique.push_back(ROLE_COL);
858  columnsUnique.push_back(SCHEMA_COL);
859  descr1.setUniqueConstraint(columnsUnique);
860  columnsForIndex.clear();
861  columnsForIndex.push_back(AUTH_ID_COL);
862  descr1.setPrimaryKey(columnsForIndex);
863  schema.createTable(descr1);
864 
865  m_log << "Creating credential table." << std::endl;
866  std::string credential_table_name = tname(CREDENTIAL_TABLE, m_key.version());
867  // credential table
868  addSequence(m_key.version(), schema, credential_table_name);
869  coral::TableDescription descr2;
870  descr2.setName(credential_table_name);
871  descr2.insertColumn(CONNECTION_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
872  descr2.insertColumn(
873  CONNECTION_LABEL_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
874  descr2.insertColumn(USERNAME_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
875  descr2.insertColumn(PASSWORD_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
876  descr2.insertColumn(
877  VERIFICATION_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
878  descr2.insertColumn(
879  CONNECTION_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
880  descr2.setNotNullConstraint(CONNECTION_ID_COL);
881  descr2.setNotNullConstraint(CONNECTION_LABEL_COL);
882  descr2.setNotNullConstraint(USERNAME_COL);
883  descr2.setNotNullConstraint(PASSWORD_COL);
884  descr2.setNotNullConstraint(VERIFICATION_KEY_COL);
885  descr2.setNotNullConstraint(CONNECTION_KEY_COL);
886  columnsUnique.clear();
887  columnsUnique.push_back(CONNECTION_LABEL_COL);
888  descr2.setUniqueConstraint(columnsUnique);
889  columnsForIndex.clear();
890  columnsForIndex.push_back(CONNECTION_ID_COL);
891  descr2.setPrimaryKey(columnsForIndex);
892  schema.createTable(descr2);
893 
894  try {
895  schema.tableHandle(authentication_table_name)
896  .privilegeManager()
897  .grantToUser(m_serviceData->userName, coral::ITablePrivilegeManager::Select);
898  schema.tableHandle(authorization_table_name)
899  .privilegeManager()
900  .grantToUser(m_serviceData->userName, coral::ITablePrivilegeManager::Select);
901  schema.tableHandle(credential_table_name)
902  .privilegeManager()
903  .grantToUser(m_serviceData->userName, coral::ITablePrivilegeManager::Select);
904  } catch (const coral::Exception& e) {
905  std::cout << "WARNING: Could not grant select access to user " << m_serviceData->userName << ": [" << e.what()
906  << "]" << std::endl;
907  }
908  m_log << "Granting ADMIN access permission." << std::endl;
909  auth::KeyGenerator gen;
910  m_principalKey = gen.make(auth::COND_DB_KEY_SIZE);
911  auto princData = updatePrincipalData(
912  m_key.version(), schema, m_key.principalKey(), m_key.principalName(), m_principalKey, true, m_log);
913  std::string credentialAccessLabel = schemaLabel(m_serviceName, userName);
914  auto connParams = updateConnectionData(
915  m_key.version(), schema, m_principalKey, credentialAccessLabel, userName, password, true, m_log);
916  bool ret = setPermissionData(m_key.version(),
917  schema,
918  princData.first,
919  m_principalKey,
920  auth::COND_ADMIN_ROLE,
921  connectionString,
922  connParams.first,
923  connParams.second,
924  m_log);
925  session.close();
926  return ret;
927 }
928 
929 bool cond::CredentialStore::drop(const std::string& connectionString,
930  const std::string& userName,
931  const std::string& password) {
932  CSScopedSession session(*this);
933  session.startSuper(connectionString, userName, password);
934 
935  m_log << "Dropping AUTHORIZATION, CREDENTIAL, AUTHENTICATION and SEQUENCE tables." << std::endl;
936  coral::ISchema& schema = m_session->nominalSchema();
937  schema.dropIfExistsTable(tname(AUTHORIZATION_TABLE, m_key.version()));
938  schema.dropIfExistsTable(tname(CREDENTIAL_TABLE, m_key.version()));
939  schema.dropIfExistsTable(tname(AUTHENTICATION_TABLE, m_key.version()));
940  schema.dropIfExistsTable(tname(SEQUENCE_TABLE, m_key.version()));
941  session.close();
942  return true;
943 }
944 
945 bool cond::CredentialStore::resetAdmin(const std::string& userName, const std::string& password) {
946  if (!m_serviceData) {
947  throwException("The credential store has not been initialized.", "cond::CredentialStore::installAdmin");
948  }
949  const std::string& connectionString = m_serviceData->connectionString;
950 
951  CSScopedSession session(*this);
952  session.startSuper(connectionString, userName, password);
953 
954  coral::ISchema& schema = m_session->nominalSchema();
955  const std::string& principalName = m_key.principalName();
956  const std::string& authenticationKey = m_key.principalKey();
957  PrincipalData princData;
958  if (!selectPrincipal(m_key.version(), schema, principalName, princData)) {
959  std::string msg("User \"");
960  msg += principalName + "\" has not been found.";
961  throwException(msg, "CredentialStore::resetAdmin");
962  }
963  auth::Cipher cipher0(authenticationKey);
964  m_principalKey = cipher0.b64decrypt(princData.principalKey);
965 
966  auto p = updatePrincipalData(m_key.version(), schema, authenticationKey, principalName, m_principalKey, false, m_log);
967  std::string credentialAccessLabel = schemaLabel(m_serviceName, userName);
968  auto connParams = updateConnectionData(
969  m_key.version(), schema, m_principalKey, credentialAccessLabel, userName, password, true, m_log);
970  bool ret = setPermissionData(m_key.version(),
971  schema,
972  p.first,
973  m_principalKey,
974  auth::COND_ADMIN_ROLE,
975  connectionString,
976  connParams.first,
977  connParams.second,
978  m_log);
979  session.close();
980  return ret;
981 }
982 
983 bool cond::CredentialStore::updatePrincipal(const std::string& principalName,
984  const std::string& authenticationKey,
985  bool setAdmin) {
986  CSScopedSession session(*this);
987  session.start(false);
988  coral::ISchema& schema = m_session->nominalSchema();
989  auto princData =
990  updatePrincipalData(m_key.version(), schema, authenticationKey, principalName, m_principalKey, false, m_log);
991  bool ret = false;
992  if (setAdmin) {
993  int princId = princData.first;
994  std::string princKey = m_principalKey;
995  std::string connString = m_serviceData->connectionString;
996  std::vector<Permission> permissions;
997  if (!selectPermissions(m_key.principalName(), auth::COND_ADMIN_ROLE, connString, permissions)) {
998  throwException("The current operating user is not admin user on the underlying Credential Store.",
999  "CredentialStore::updatePrincipal");
1000  }
1001  std::string connLabel = permissions.front().connectionLabel;
1002  CredentialData credsData;
1003  if (!selectConnection(m_key.version(), schema, connLabel, credsData)) {
1004  throwException("Credential Store connection has not been defined.", "CredentialStore::updatePrincipal");
1005  }
1006  auth::Cipher adminCipher(m_principalKey);
1007  ret = setPermissionData(m_key.version(),
1008  schema,
1009  princId,
1010  princKey,
1011  auth::COND_ADMIN_ROLE,
1012  connString,
1013  credsData.id,
1014  adminCipher.b64decrypt(credsData.connectionKey),
1015  m_log);
1016  }
1017  session.close();
1018  return ret;
1019 }
1020 
1021 bool cond::CredentialStore::setPermission(const std::string& principal,
1022  const std::string& role,
1023  const std::string& connectionString,
1024  const std::string& connectionLabel) {
1025  CSScopedSession session(*this);
1026  session.start(false);
1027 
1028  coral::ISchema& schema = m_session->nominalSchema();
1029 
1030  PrincipalData princData;
1031  bool found = selectPrincipal(m_key.version(), schema, principal, princData);
1032 
1033  if (!found) {
1034  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1035  throwException(msg, "CredentialStore::setPermission");
1036  }
1037 
1038  m_log << "Principal " << principal << " id: " << princData.id << std::endl;
1039  CredentialData credsData;
1040  found = selectConnection(m_key.version(), schema, connectionLabel, credsData);
1041 
1042  if (!found) {
1043  std::string msg = "Connection named \"" + connectionLabel + "\" does not exist in the database.";
1044  throwException(msg, "CredentialStore::setPermission");
1045  }
1046 
1047  auth::Cipher cipher(m_principalKey);
1048  bool ret = setPermissionData(m_key.version(),
1049  schema,
1050  princData.id,
1051  cipher.b64decrypt(princData.adminKey),
1052  role,
1053  connectionString,
1054  credsData.id,
1055  cipher.b64decrypt(credsData.connectionKey),
1056  m_log);
1057  session.close();
1058  return ret;
1059 }
1060 
1061 bool cond::CredentialStore::unsetPermission(const std::string& principal,
1062  const std::string& role,
1063  const std::string& connectionString) {
1064  if (cond::auth::ROLES.find(role) == cond::auth::ROLES.end()) {
1065  throwException(std::string("Role ") + role + " does not exists.", "CredentialStore::unsetPermission");
1066  }
1067  CSScopedSession session(*this);
1068  session.start(false);
1069  coral::ISchema& schema = m_session->nominalSchema();
1070 
1071  PrincipalData princData;
1072  bool found = selectPrincipal(m_key.version(), schema, principal, princData);
1073 
1074  if (!found) {
1075  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1076  throwException(msg, "CredentialStore::unsetPermission");
1077  }
1078  m_log << "Removing permission for principal " << principal << " (id: " << princData.id << ") to access resource "
1079  << connectionString << " with role " << role << std::endl;
1080  coral::ITableDataEditor& editor = schema.tableHandle(tname(AUTHORIZATION_TABLE, m_key.version())).dataEditor();
1081  coral::AttributeList deleteData;
1082  deleteData.extend<int>(P_ID_COL);
1083  deleteData.extend<std::string>(ROLE_COL);
1084  deleteData.extend<std::string>(SCHEMA_COL);
1085  deleteData[P_ID_COL].data<int>() = princData.id;
1086  deleteData[ROLE_COL].data<std::string>() = role;
1087  deleteData[SCHEMA_COL].data<std::string>() = connectionString;
1088  std::stringstream whereClause;
1089  whereClause << P_ID_COL + " = :" + P_ID_COL;
1090  whereClause << " AND " << ROLE_COL << " = :" << ROLE_COL;
1091  whereClause << " AND " << SCHEMA_COL << " = :" << SCHEMA_COL;
1092  editor.deleteRows(whereClause.str(), deleteData);
1093  session.close();
1094  return true;
1095 }
1096 
1097 bool cond::CredentialStore::updateConnection(const std::string& connectionLabel,
1098  const std::string& userName,
1099  const std::string& password) {
1100  CSScopedSession session(*this);
1101  session.start(false);
1102 
1103  m_session->transaction().start();
1104  coral::ISchema& schema = m_session->nominalSchema();
1105  std::string connLabel = to_lower(connectionLabel);
1106  updateConnectionData(m_key.version(), schema, m_principalKey, connLabel, userName, password, true, m_log);
1107 
1108  session.close();
1109  return true;
1110 }
1111 
1112 bool cond::CredentialStore::removePrincipal(const std::string& principal) {
1113  CSScopedSession session(*this);
1114  session.start(false);
1115  coral::ISchema& schema = m_session->nominalSchema();
1116 
1117  PrincipalData princData;
1118  bool found = selectPrincipal(m_key.version(), schema, principal, princData);
1119 
1120  if (!found) {
1121  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1122  throwException(msg, "CredentialStore::removePrincipal");
1123  }
1124 
1125  m_log << "Removing principal " << principal << " (id: " << princData.id << ")" << std::endl;
1126 
1127  coral::ITableDataEditor& editor0 = schema.tableHandle(tname(AUTHORIZATION_TABLE, m_key.version())).dataEditor();
1128 
1129  coral::AttributeList deleteData0;
1130  deleteData0.extend<int>(P_ID_COL);
1131  deleteData0[P_ID_COL].data<int>() = princData.id;
1132  std::string whereClause0 = P_ID_COL + " = :" + P_ID_COL;
1133  editor0.deleteRows(whereClause0, deleteData0);
1134 
1135  coral::ITableDataEditor& editor1 = schema.tableHandle(tname(AUTHENTICATION_TABLE, m_key.version())).dataEditor();
1136 
1137  coral::AttributeList deleteData1;
1138  deleteData1.extend<int>(PRINCIPAL_ID_COL);
1139  deleteData1[PRINCIPAL_ID_COL].data<int>() = princData.id;
1140  std::string whereClause1 = PRINCIPAL_ID_COL + " = :" + PRINCIPAL_ID_COL;
1141  editor1.deleteRows(whereClause1, deleteData1);
1142 
1143  session.close();
1144 
1145  return true;
1146 }
1147 
1148 bool cond::CredentialStore::removeConnection(const std::string& connectionLabel) {
1149  CSScopedSession session(*this);
1150  session.start(false);
1151  coral::ISchema& schema = m_session->nominalSchema();
1152 
1153  CredentialData credsData;
1154  bool found = selectConnection(m_key.version(), schema, connectionLabel, credsData);
1155 
1156  if (!found) {
1157  std::string msg = "Connection named \"" + connectionLabel + "\" does not exist in the database.";
1158  throwException(msg, "CredentialStore::removeConnection");
1159  }
1160 
1161  m_log << "Removing connection " << connectionLabel << std::endl;
1162  coral::ITableDataEditor& editor0 = schema.tableHandle(tname(AUTHORIZATION_TABLE, m_key.version())).dataEditor();
1163 
1164  coral::AttributeList deleteData0;
1165  deleteData0.extend<int>(C_ID_COL);
1166  deleteData0[C_ID_COL].data<int>() = credsData.id;
1167  std::string whereClause0 = C_ID_COL + " = :" + C_ID_COL;
1168  editor0.deleteRows(whereClause0, deleteData0);
1169 
1170  coral::ITableDataEditor& editor1 = schema.tableHandle(tname(CREDENTIAL_TABLE, m_key.version())).dataEditor();
1171 
1172  coral::AttributeList deleteData1;
1173  deleteData1.extend<int>(CONNECTION_ID_COL);
1174  deleteData1[CONNECTION_ID_COL].data<int>() = credsData.id;
1175  std::string whereClause1 = CONNECTION_ID_COL + " = :" + CONNECTION_ID_COL;
1176  editor1.deleteRows(whereClause1, deleteData1);
1177 
1178  session.close();
1179 
1180  return true;
1181 }
1182 
1183 bool cond::CredentialStore::selectForUser(coral_bridge::AuthenticationCredentialSet& destinationData) {
1184  CSScopedSession session(*this);
1185  session.start(true);
1186  coral::ISchema& schema = m_session->nominalSchema();
1187 
1188  auth::Cipher cipher(m_principalKey);
1189 
1190  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1191  query->addToTableList(tname(AUTHORIZATION_TABLE, m_key.version()), "AUTHO");
1192  query->addToTableList(tname(CREDENTIAL_TABLE, m_key.version()), "CREDS");
1193  coral::AttributeList readBuff;
1194  readBuff.extend<std::string>("AUTHO." + ROLE_COL);
1195  readBuff.extend<std::string>("AUTHO." + SCHEMA_COL);
1196  readBuff.extend<std::string>("AUTHO." + AUTH_KEY_COL);
1197  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1198  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
1199  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
1200  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
1201  coral::AttributeList whereData;
1202  whereData.extend<int>(P_ID_COL);
1203  whereData[P_ID_COL].data<int>() = m_principalId;
1204  std::stringstream whereClause;
1205  whereClause << "AUTHO." << C_ID_COL << "="
1206  << "CREDS." << CONNECTION_ID_COL;
1207  whereClause << " AND "
1208  << "AUTHO." << P_ID_COL << " = :" << P_ID_COL;
1209  query->defineOutput(readBuff);
1210  query->addToOutputList("AUTHO." + ROLE_COL);
1211  query->addToOutputList("AUTHO." + SCHEMA_COL);
1212  query->addToOutputList("AUTHO." + AUTH_KEY_COL);
1213  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1214  query->addToOutputList("CREDS." + USERNAME_COL);
1215  query->addToOutputList("CREDS." + PASSWORD_COL);
1216  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
1217  query->setCondition(whereClause.str(), whereData);
1218  coral::ICursor& cursor = query->execute();
1219  while (cursor.next()) {
1220  const coral::AttributeList& row = cursor.currentRow();
1221  const std::string& role = row["AUTHO." + ROLE_COL].data<std::string>();
1222  const std::string& connectionString = row["AUTHO." + SCHEMA_COL].data<std::string>();
1223  const std::string& encryptedAuthKey = row["AUTHO." + AUTH_KEY_COL].data<std::string>();
1224  const std::string& connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1225  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
1226  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
1227  std::string authKey = cipher.b64decrypt(encryptedAuthKey);
1228  auth::Cipher connCipher(authKey);
1229  std::string verificationString = connCipher.b64decrypt(row["CREDS." + VERIFICATION_KEY_COL].data<std::string>());
1230  if (verificationString == connectionLabel) {
1231  destinationData.registerCredentials(
1232  connectionString, role, connCipher.b64decrypt(encryptedUserName), connCipher.b64decrypt(encryptedPassword));
1233  }
1234  }
1235  session.close();
1236  return true;
1237 }
1238 
1239 std::pair<std::string, std::string> cond::CredentialStore::getUserCredentials(const std::string& connectionString,
1240  const std::string& role) {
1241  CSScopedSession session(*this);
1242  session.start(true);
1243  coral::ISchema& schema = m_session->nominalSchema();
1244 
1245  auth::Cipher cipher(m_principalKey);
1246 
1247  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1248  query->addToTableList(tname(AUTHORIZATION_TABLE, m_key.version()), "AUTHO");
1249  query->addToTableList(tname(CREDENTIAL_TABLE, m_key.version()), "CREDS");
1250  coral::AttributeList readBuff;
1251  readBuff.extend<std::string>("AUTHO." + AUTH_KEY_COL);
1252  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1253  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
1254  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
1255  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
1256  coral::AttributeList whereData;
1257  whereData.extend<int>(P_ID_COL);
1258  whereData.extend<std::string>(SCHEMA_COL);
1259  whereData.extend<std::string>(ROLE_COL);
1260  whereData[P_ID_COL].data<int>() = m_principalId;
1261  whereData[SCHEMA_COL].data<std::string>() = connectionString;
1262  whereData[ROLE_COL].data<std::string>() = role;
1263  std::stringstream whereClause;
1264  whereClause << "AUTHO." << C_ID_COL << "="
1265  << "CREDS." << CONNECTION_ID_COL;
1266  whereClause << " AND "
1267  << "AUTHO." << P_ID_COL << " = :" << P_ID_COL;
1268  whereClause << " AND "
1269  << "AUTHO." << SCHEMA_COL << " = :" << SCHEMA_COL;
1270  whereClause << " AND "
1271  << "AUTHO." << ROLE_COL << " = :" << ROLE_COL;
1272  query->defineOutput(readBuff);
1273  query->addToOutputList("AUTHO." + AUTH_KEY_COL);
1274  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1275  query->addToOutputList("CREDS." + USERNAME_COL);
1276  query->addToOutputList("CREDS." + PASSWORD_COL);
1277  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
1278  query->setCondition(whereClause.str(), whereData);
1279  coral::ICursor& cursor = query->execute();
1280  auto ret = std::make_pair(std::string(""), std::string(""));
1281  if (cursor.next()) {
1282  const coral::AttributeList& row = cursor.currentRow();
1283  const std::string& encryptedAuthKey = row["AUTHO." + AUTH_KEY_COL].data<std::string>();
1284  const std::string& connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1285  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
1286  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
1287  std::string authKey = cipher.b64decrypt(encryptedAuthKey);
1288  auth::Cipher connCipher(authKey);
1289  std::string verificationString = connCipher.b64decrypt(row["CREDS." + VERIFICATION_KEY_COL].data<std::string>());
1290  if (verificationString == connectionLabel) {
1291  ret.first = connCipher.b64decrypt(encryptedUserName);
1292  ret.second = connCipher.b64decrypt(encryptedPassword);
1293  }
1294  }
1295  session.close();
1296  return ret;
1297 }
1298 
1299 bool cond::CredentialStore::importForPrincipal(const std::string& principal,
1300  const coral_bridge::AuthenticationCredentialSet& dataSource,
1301  bool forceUpdateConnection) {
1302  CSScopedSession session(*this);
1303  session.start(false);
1304  coral::ISchema& schema = m_session->nominalSchema();
1305 
1306  PrincipalData princData;
1307  bool found = selectPrincipal(m_key.version(), schema, principal, princData);
1308 
1309  if (!found) {
1310  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1311  throwException(msg, "CredentialStore::importForPrincipal");
1312  }
1313 
1314  bool imported = false;
1315  auth::Cipher cipher(m_principalKey);
1316  std::string princKey = cipher.b64decrypt(princData.adminKey);
1317 
1318  const std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>& creds = dataSource.data();
1319  for (std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::const_iterator iConn =
1320  creds.begin();
1321  iConn != creds.end();
1322  ++iConn) {
1323  const std::string& connectionString = iConn->first.first;
1324  coral::URIParser parser;
1325  parser.setURI(connectionString);
1326  std::string serviceName = parser.hostName();
1327  const std::string& role = iConn->first.second;
1328  std::string userName = iConn->second->valueForItem(coral::IAuthenticationCredentials::userItem());
1329  std::string password = iConn->second->valueForItem(coral::IAuthenticationCredentials::passwordItem());
1330  // first import the connections
1331  std::pair<int, std::string> conn = updateConnectionData(m_key.version(),
1332  schema,
1333  m_principalKey,
1334  schemaLabel(serviceName, userName),
1335  userName,
1336  password,
1337  forceUpdateConnection,
1338  m_log);
1339  auth::Cipher cipher(m_principalKey);
1340  // than set the permission for the specific role
1341  setPermissionData(
1342  m_key.version(), schema, princData.id, princKey, role, connectionString, conn.first, conn.second, m_log);
1343  imported = true;
1344  }
1345  session.close();
1346  return imported;
1347 }
1348 
1349 bool cond::CredentialStore::listPrincipals(std::vector<std::string>& destination) {
1350  CSScopedSession session(*this);
1351  session.start(true);
1352  coral::ISchema& schema = m_session->nominalSchema();
1353 
1354  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(AUTHENTICATION_TABLE, m_key.version())).newQuery());
1355  coral::AttributeList readBuff;
1356  readBuff.extend<std::string>(PRINCIPAL_NAME_COL);
1357  query->defineOutput(readBuff);
1358  query->addToOutputList(PRINCIPAL_NAME_COL);
1359  coral::ICursor& cursor = query->execute();
1360  bool found = false;
1361  while (cursor.next()) {
1362  found = true;
1363  const coral::AttributeList& row = cursor.currentRow();
1364  destination.push_back(row[PRINCIPAL_NAME_COL].data<std::string>());
1365  }
1366  session.close();
1367  return found;
1368 }
1369 
1370 bool cond::CredentialStore::listConnections(std::map<std::string, std::pair<std::string, std::string> >& destination) {
1371  CSScopedSession session(*this);
1372  session.start(true);
1373  coral::ISchema& schema = m_session->nominalSchema();
1374 
1375  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(CREDENTIAL_TABLE, m_key.version())).newQuery());
1376  coral::AttributeList readBuff;
1377  readBuff.extend<std::string>(CONNECTION_LABEL_COL);
1378  readBuff.extend<std::string>(USERNAME_COL);
1379  readBuff.extend<std::string>(PASSWORD_COL);
1380  readBuff.extend<std::string>(VERIFICATION_KEY_COL);
1381  readBuff.extend<std::string>(CONNECTION_KEY_COL);
1382  query->defineOutput(readBuff);
1383  query->addToOutputList(CONNECTION_LABEL_COL);
1384  query->addToOutputList(USERNAME_COL);
1385  query->addToOutputList(PASSWORD_COL);
1386  query->addToOutputList(VERIFICATION_KEY_COL);
1387  query->addToOutputList(CONNECTION_KEY_COL);
1388  coral::ICursor& cursor = query->execute();
1389  bool found = false;
1390  auth::Cipher cipher0(m_principalKey);
1391  while (cursor.next()) {
1392  std::string userName("");
1393  std::string password("");
1394  const coral::AttributeList& row = cursor.currentRow();
1395  const std::string& connLabel = row[CONNECTION_LABEL_COL].data<std::string>();
1396  const std::string& encryptedKey = row[CONNECTION_KEY_COL].data<std::string>();
1397  const std::string& encryptedVerif = row[VERIFICATION_KEY_COL].data<std::string>();
1398  std::string connKey = cipher0.b64decrypt(encryptedKey);
1399  auth::Cipher cipher1(connKey);
1400  std::string verif = cipher1.b64decrypt(encryptedVerif);
1401  if (verif == connLabel) {
1402  const std::string& encryptedUserName = row[USERNAME_COL].data<std::string>();
1403  const std::string& encryptedPassword = row[PASSWORD_COL].data<std::string>();
1404  userName = cipher1.b64decrypt(encryptedUserName);
1405  password = cipher1.b64decrypt(encryptedPassword);
1406  }
1407  destination.insert(std::make_pair(connLabel, std::make_pair(userName, password)));
1408  found = true;
1409  }
1410  session.close();
1411  return found;
1412 }
1413 
1414 bool cond::CredentialStore::selectPermissions(const std::string& principalName,
1415  const std::string& role,
1416  const std::string& connectionString,
1417  std::vector<Permission>& destination) {
1418  CSScopedSession session(*this);
1419  session.start(true);
1420  coral::ISchema& schema = m_session->nominalSchema();
1421  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1422  query->addToTableList(tname(AUTHENTICATION_TABLE, m_key.version()), "AUTHE");
1423  query->addToTableList(tname(AUTHORIZATION_TABLE, m_key.version()), "AUTHO");
1424  query->addToTableList(tname(CREDENTIAL_TABLE, m_key.version()), "CREDS");
1425  coral::AttributeList readBuff;
1426  readBuff.extend<std::string>("AUTHE." + PRINCIPAL_NAME_COL);
1427  readBuff.extend<std::string>("AUTHO." + ROLE_COL);
1428  readBuff.extend<std::string>("AUTHO." + SCHEMA_COL);
1429  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1430  coral::AttributeList whereData;
1431  std::stringstream whereClause;
1432  whereClause << "AUTHE." << PRINCIPAL_ID_COL << "= AUTHO." << P_ID_COL;
1433  whereClause << " AND AUTHO." << C_ID_COL << "="
1434  << "CREDS." << CONNECTION_ID_COL;
1435  if (!principalName.empty()) {
1436  whereData.extend<std::string>(PRINCIPAL_NAME_COL);
1437  whereData[PRINCIPAL_NAME_COL].data<std::string>() = principalName;
1438  whereClause << " AND AUTHE." << PRINCIPAL_NAME_COL << " = :" << PRINCIPAL_NAME_COL;
1439  }
1440  if (!role.empty()) {
1441  whereData.extend<std::string>(ROLE_COL);
1442  whereData[ROLE_COL].data<std::string>() = role;
1443  whereClause << " AND AUTHO." << ROLE_COL << " = :" << ROLE_COL;
1444  }
1445  if (!connectionString.empty()) {
1446  whereData.extend<std::string>(SCHEMA_COL);
1447  whereData[SCHEMA_COL].data<std::string>() = connectionString;
1448  whereClause << " AND AUTHO." << SCHEMA_COL << " = :" << SCHEMA_COL;
1449  }
1450 
1451  query->defineOutput(readBuff);
1452  query->addToOutputList("AUTHE." + PRINCIPAL_NAME_COL);
1453  query->addToOutputList("AUTHO." + ROLE_COL);
1454  query->addToOutputList("AUTHO." + SCHEMA_COL);
1455  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1456  query->setCondition(whereClause.str(), whereData);
1457  query->addToOrderList("AUTHO." + SCHEMA_COL);
1458  query->addToOrderList("AUTHE." + PRINCIPAL_NAME_COL);
1459  query->addToOrderList("AUTHO." + ROLE_COL);
1460  coral::ICursor& cursor = query->execute();
1461  bool found = false;
1462  while (cursor.next()) {
1463  const coral::AttributeList& row = cursor.currentRow();
1464  destination.resize(destination.size() + 1);
1465  Permission& perm = destination.back();
1466  perm.principalName = row["AUTHE." + PRINCIPAL_NAME_COL].data<std::string>();
1467  perm.role = row["AUTHO." + ROLE_COL].data<std::string>();
1468  perm.connectionString = row["AUTHO." + SCHEMA_COL].data<std::string>();
1469  perm.connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1470  found = true;
1471  }
1472  session.close();
1473  return found;
1474 }
1475 
1476 bool cond::CredentialStore::exportAll(coral_bridge::AuthenticationCredentialSet& data) {
1477  CSScopedSession session(*this);
1478  session.start(true);
1479  coral::ISchema& schema = m_session->nominalSchema();
1480  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1481  query->addToTableList(tname(AUTHORIZATION_TABLE, m_key.version()), "AUTHO");
1482  query->addToTableList(tname(CREDENTIAL_TABLE, m_key.version()), "CREDS");
1483  coral::AttributeList readBuff;
1484  readBuff.extend<std::string>("AUTHO." + ROLE_COL);
1485  readBuff.extend<std::string>("AUTHO." + SCHEMA_COL);
1486  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1487  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
1488  readBuff.extend<std::string>("CREDS." + CONNECTION_KEY_COL);
1489  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
1490  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
1491  coral::AttributeList whereData;
1492  std::stringstream whereClause;
1493  whereClause << "AUTHO." << C_ID_COL << "="
1494  << "CREDS." << CONNECTION_ID_COL;
1495 
1496  query->defineOutput(readBuff);
1497  query->addToOutputList("AUTHO." + ROLE_COL);
1498  query->addToOutputList("AUTHO." + SCHEMA_COL);
1499  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1500  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
1501  query->addToOutputList("CREDS." + CONNECTION_KEY_COL);
1502  query->addToOutputList("CREDS." + USERNAME_COL);
1503  query->addToOutputList("CREDS." + PASSWORD_COL);
1504  query->setCondition(whereClause.str(), whereData);
1505  coral::ICursor& cursor = query->execute();
1506  bool found = false;
1507  auth::Cipher cipher0(m_principalKey);
1508  while (cursor.next()) {
1509  const coral::AttributeList& row = cursor.currentRow();
1510  const std::string& role = row["AUTHO." + ROLE_COL].data<std::string>();
1511  const std::string& connectionString = row["AUTHO." + SCHEMA_COL].data<std::string>();
1512  const std::string& connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1513  const std::string& encryptedVerifKey = row["CREDS." + VERIFICATION_KEY_COL].data<std::string>();
1514  const std::string& encryptedConnection = row["CREDS." + CONNECTION_KEY_COL].data<std::string>();
1515  std::string userName("");
1516  std::string password("");
1517  std::string connectionKey = cipher0.b64decrypt(encryptedConnection);
1518  auth::Cipher cipher1(connectionKey);
1519  std::string verifKey = cipher1.b64decrypt(encryptedVerifKey);
1520  if (verifKey == connectionLabel) {
1521  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
1522  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
1523  userName = cipher1.b64decrypt(encryptedUserName);
1524  password = cipher1.b64decrypt(encryptedPassword);
1525  }
1526  data.registerCredentials(connectionString, role, userName, password);
1527  found = true;
1528  }
1529  session.close();
1530  return found;
1531 }
1532 
1533 const std::string& cond::CredentialStore::serviceName() { return m_serviceName; }
1534 
1535 const std::string& cond::CredentialStore::keyPrincipalName() { return m_key.principalName(); }
1536 
1537 std::string cond::CredentialStore::log() { return m_log.str(); }
runTheMatrix.ret
ret
prodAgent to be discontinued
Definition: runTheMatrix.py:542
cond::CredentialData::verificationKey
std::string verificationKey
Definition: CredentialStore.cc:243
lumi_dqm_sourceclient-live_cfg.authPath
authPath
Definition: lumi_dqm_sourceclient-live_cfg.py:33
cond::AuthorizationData::AuthorizationData
AuthorizationData()
Definition: CredentialStore.cc:287
ROLE_COL
static const std::string ROLE_COL("C_ROLE")
SCHEMA_COL
static const std::string SCHEMA_COL("C_SCHEMA")
AUTHORIZATION_TABLE
static const std::string AUTHORIZATION_TABLE("AUTHORIZATION")
DEFAULT_DATA_SOURCE
const std::string DEFAULT_DATA_SOURCE("Cond_Default_Authentication")
cond::PrincipalData::PrincipalData
PrincipalData()
Definition: CredentialStore.cc:203
cond::CredentialStore::keyPrincipalName
const std::string & keyPrincipalName()
Definition: CredentialStore.cc:1535
cond::auth::COND_ADMIN_ROLE
static constexpr const char *const COND_ADMIN_ROLE
Definition: Auth.h:19
AUTHENTICATION_TABLE
static const std::string AUTHENTICATION_TABLE("AUTHENTICATION")
cond::PrincipalData
Definition: CredentialStore.cc:198
cond::CredentialStore::updatePrincipal
bool updatePrincipal(const std::string &principal, const std::string &principalKey, bool setAdmin=false)
Definition: CredentialStore.cc:983
Exception.h
C_ID_COL
static const std::string C_ID_COL("C_ID")
cond::CSScopedSession::~CSScopedSession
~CSScopedSession()
Definition: CredentialStore.cc:187
contentValuesFiles.fullPath
fullPath
Definition: contentValuesFiles.py:64
cond::updatePrincipalData
std::pair< int, std::string > updatePrincipalData(const std::string &schemaVersion, coral::ISchema &schema, const std::string &authenticationKey, const std::string &principalName, const std::string &adminKey, bool init, std::stringstream &log)
Definition: CredentialStore.cc:365
AlCaHLTBitMon_ParallelJobs.p
p
Definition: AlCaHLTBitMon_ParallelJobs.py:153
AUTH_KEY_COL
static const std::string AUTH_KEY_COL("CRED3")
PRINCIPAL_NAME_COL
static const std::string PRINCIPAL_NAME_COL("P_NAME")
gather_cfg.cout
cout
Definition: gather_cfg.py:144
CONNECTION_LABEL_COL
static const std::string CONNECTION_LABEL_COL("CONN_LABEL")
TABLE_PREFIX
static const std::string TABLE_PREFIX("DB_")
SiStripCommissioningClient_cfg.conn
conn
Definition: SiStripCommissioningClient_cfg.py:5
VERIFICATION_KEY_COL
static const std::string VERIFICATION_KEY_COL("CRED6")
cond::CSScopedSession
Definition: CredentialStore.cc:184
writedatasetfile.parser
parser
Definition: writedatasetfile.py:7
cond::CredentialStore::openConnection
std::pair< std::string, std::string > openConnection(const std::string &connectionString)
Definition: CredentialStore.cc:576
mps_check.msg
tuple msg
Definition: mps_check.py:285
SEQUENCE_TABLE
static const std::string SEQUENCE_TABLE("CREDENTIAL_SEQUENCE")
cond::CredentialStore::Permission::connectionString
std::string connectionString
Definition: CredentialStore.h:131
coral_bridge::AuthenticationCredentialSet::get
const coral::IAuthenticationCredentials * get(const std::string &connectionString) const
Definition: CredentialStore.cc:97
spr::find
void find(edm::Handle< EcalRecHitCollection > &hits, DetId thisDet, std::vector< EcalRecHitCollection::const_iterator > &hit, bool debug=false)
Definition: FindCaloHit.cc:19
cond::getNextSequenceValue
bool getNextSequenceValue(const std::string &schemaVersion, coral::ISchema &schema, const std::string &sequenceName, int &value)
Definition: CredentialStore.cc:329
cond::PrincipalData::verifKey
std::string verifKey
Definition: CredentialStore.cc:200
newFWLiteAna.found
found
Definition: newFWLiteAna.py:118
serviceName
static const std::string serviceName
Definition: CredentialStore.cc:31
coral_bridge::AuthenticationCredentialSet::data
const std::map< std::pair< std::string, std::string >, coral::AuthenticationCredentials * > & data() const
Definition: CredentialStore.cc:115
HLT_Fake1_cff.tableName
tableName
Definition: HLT_Fake1_cff.py:10
cond::CredentialStore::startSession
void startSession(bool readMode)
Definition: CredentialStore.cc:612
ADMIN_KEY_COL
static const std::string ADMIN_KEY_COL("CRED2")
to_lower
std::string to_lower(const std::string &s)
Definition: CredentialStore.cc:157
cond::auth::Cipher::b64encrypt
std::string b64encrypt(const std::string &input)
Definition: Cipher.cc:109
EcalCondDBWriter_cfi.userName
userName
Definition: EcalCondDBWriter_cfi.py:61
cond::CredentialStore::selectForUser
bool selectForUser(coral_bridge::AuthenticationCredentialSet &destinationData)
Definition: CredentialStore.cc:1183
cond::CredentialStore::listConnections
bool listConnections(std::map< std::string, std::pair< std::string, std::string > > &destination)
Definition: CredentialStore.cc:1370
CONNECTION_KEY_COL
static const std::string CONNECTION_KEY_COL("CRED7")
coral_bridge::AuthenticationCredentialSet::registerItem
void registerItem(const std::string &connectionString, const std::string &itemName, const std::string &itemValue)
Definition: CredentialStore.cc:43
alignCSCRings.s
s
Definition: alignCSCRings.py:92
cond::CredentialStore::setUpForConnectionString
std::string setUpForConnectionString(const std::string &connectionString, const std::string &authPath)
Definition: CredentialStore.cc:760
EcalCondDBWriter_cfi.password
password
Definition: EcalCondDBWriter_cfi.py:62
cond::PrincipalData::adminKey
std::string adminKey
Definition: CredentialStore.cc:202
addSequence
void addSequence(const std::string &schemaVersion, coral::ISchema &schema, const std::string &name)
Definition: CredentialStore.cc:774
cond::CredentialData::userName
std::string userName
Definition: CredentialStore.cc:240
query
Definition: query.py:1
cond::CredentialStore::~CredentialStore
virtual ~CredentialStore()
Standard Destructor.
Definition: CredentialStore.cc:726
cond::CredentialStore::closeSession
void closeSession(bool commit=true)
Definition: CredentialStore.cc:557
cmsHarvester.permissions
permissions
Definition: cmsHarvester.py:1650
cond::CredentialStore::removePrincipal
bool removePrincipal(const std::string &principal)
Definition: CredentialStore.cc:1112
cond::CredentialStore::log
std::string log()
Definition: CredentialStore.cc:1537
cond::CredentialStore::setUpForService
std::string setUpForService(const std::string &serviceName, const std::string &authPath)
Sets the initialization parameters.
Definition: CredentialStore.cc:728
coral_bridge::AuthenticationCredentialSet::AuthenticationCredentialSet
AuthenticationCredentialSet()
Constructor.
Definition: CredentialStore.cc:33
cond::CredentialData::connectionKey
std::string connectionKey
Definition: CredentialStore.cc:242
SEQUENCE_NAME_COL
static const std::string SEQUENCE_NAME_COL("NAME")
mps_fire.end
end
Definition: mps_fire.py:242
USERNAME_COL
static const std::string USERNAME_COL("CRED4")
str
#define str(s)
Definition: TestProcessor.cc:52
cond::CredentialStore::drop
bool drop(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:929
coral_bridge::AuthenticationCredentialSet::~AuthenticationCredentialSet
virtual ~AuthenticationCredentialSet()
Destructor.
Definition: CredentialStore.cc:35
cond::auth::DecodingKey::FILE_PATH
static constexpr const char *const FILE_PATH
Definition: DecodingKey.h:35
cond::selectPrincipal
bool selectPrincipal(const std::string &schemaVersion, coral::ISchema &schema, const std::string &principal, PrincipalData &destination)
Definition: CredentialStore.cc:205
Cipher.h
cond::CredentialStore
Definition: CredentialStore.h:78
cond::CredentialStore::createSchema
bool createSchema(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:786
gen
Definition: PythiaDecays.h:13
PASSWORD_COL
static const std::string PASSWORD_COL("CRED5")
coral_bridge::AuthenticationCredentialSet::reset
void reset()
Definition: CredentialStore.cc:37
CONNECTION_ID_COL
static const std::string CONNECTION_ID_COL("CONN_ID")
cond::CredentialStore::serviceName
const std::string & serviceName()
Definition: CredentialStore.cc:1533
cond::CSScopedSession::CSScopedSession
CSScopedSession(CredentialStore &store)
Definition: CredentialStore.cc:186
AlCaHLTBitMon_QueryRunRegistry.string
string
Definition: AlCaHLTBitMon_QueryRunRegistry.py:256
cond::auth::COND_DEFAULT_ROLE
static constexpr const char *const COND_DEFAULT_ROLE
Definition: Auth.h:16
cond
Definition: plugin.cc:23
cond::CredentialStore::getUserCredentials
std::pair< std::string, std::string > getUserCredentials(const std::string &connectionString, const std::string &role)
Definition: CredentialStore.cc:1239
cond::CredentialStore::startSuperSession
void startSuperSession(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:604
TrackCollections2monitor_cff.sequenceName
sequenceName
Definition: TrackCollections2monitor_cff.py:6
cond::PrincipalData::id
int id
Definition: CredentialStore.cc:199
cond::auth::COND_KEY
static constexpr const char *const COND_KEY
Definition: Auth.h:28
L1TdeStage2CaloLayer1_cfi.dataSource
dataSource
Definition: L1TdeStage2CaloLayer1_cfi.py:5
cond::CSScopedSession::m_store
CredentialStore & m_store
Definition: CredentialStore.cc:195
cond::CredentialStore::listPrincipals
bool listPrincipals(std::vector< std::string > &destination)
Definition: CredentialStore.cc:1349
coral_bridge::AuthenticationCredentialSet::registerCredentials
void registerCredentials(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:63
cond::CredentialStore::importForPrincipal
bool importForPrincipal(const std::string &principal, const coral_bridge::AuthenticationCredentialSet &data, bool forceUpdateConnection=false)
import data
Definition: CredentialStore.cc:1299
cond::selectConnection
bool selectConnection(const std::string &schemaVersion, coral::ISchema &schema, const std::string &connectionLabel, CredentialData &destination)
Definition: CredentialStore.cc:247
cond::auth::Cipher::b64decrypt
std::string b64decrypt(const std::string &input)
Definition: Cipher.cc:122
cond::CredentialStore::updateConnection
bool updateConnection(const std::string &connectionLabel, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:1097
FrontierConditions_GlobalTag_cff.file
file
Definition: FrontierConditions_GlobalTag_cff.py:13
P_ID_COL
static const std::string P_ID_COL("P_ID")
value
Definition: value.py:1
cond::CredentialStore::removeConnection
bool removeConnection(const std::string &connectionLabel)
Definition: CredentialStore.cc:1148
cond::AuthorizationData
Definition: CredentialStore.cc:283
coral_bridge::AuthenticationCredentialSet
Definition: CredentialStore.h:24
cond::CredentialStore::exportAll
bool exportAll(coral_bridge::AuthenticationCredentialSet &data)
Definition: CredentialStore.cc:1476
cond::CredentialStore::Permission::role
std::string role
Definition: CredentialStore.h:130
tname
std::string tname(const std::string &tableName, const std::string &schemaVersion)
Definition: CredentialStore.cc:150
cond::CredentialStore::Permission::connectionLabel
std::string connectionLabel
Definition: CredentialStore.h:132
CREDENTIAL_TABLE
static const std::string CREDENTIAL_TABLE("CREDENTIAL")
get
#define get
cond::auth::KeyGenerator
Definition: DecodingKey.h:20
VERIFICATION_COL
static const std::string VERIFICATION_COL("CRED0")
instance
static PFTauRenderPlugin instance
Definition: PFTauRenderPlugin.cc:70
cond::AuthorizationData::id
int id
Definition: CredentialStore.cc:284
CredentialStore.h
HLTMuonOfflineAnalyzer_cff.destination
destination
Definition: HLTMuonOfflineAnalyzer_cff.py:50
cond::CredentialData::password
std::string password
Definition: CredentialStore.cc:241
cond::updateConnectionData
std::pair< int, std::string > updateConnectionData(const std::string &schemaVersion, coral::ISchema &schema, const std::string &adminKey, const std::string &connectionLabel, const std::string &userName, const std::string &password, bool forceUpdate, std::stringstream &log)
Definition: CredentialStore.cc:484
cond::selectAuthorization
bool selectAuthorization(const std::string &schemaVersion, coral::ISchema &schema, int principalId, const std::string &role, const std::string &connectionString, AuthorizationData &destination)
Definition: CredentialStore.cc:290
cond::AuthorizationData::connectionId
int connectionId
Definition: CredentialStore.cc:285
init
Definition: init.py:1
LEGACY_TABLE_PREFIX
static const std::string LEGACY_TABLE_PREFIX("COND_")
cond::CredentialStore::CredentialStore
CredentialStore()
Standard Constructor.
Definition: CredentialStore.cc:716
triggerObjects_cff.id
id
Definition: triggerObjects_cff.py:29
AUTH_ID_COL
static const std::string AUTH_ID_COL("AUTH_ID")
Exception
Definition: hltDiff.cc:245
PRINCIPAL_KEY_COL
static const std::string PRINCIPAL_KEY_COL("CRED1")
PRINCIPAL_ID_COL
static const std::string PRINCIPAL_ID_COL("P_ID")
cond::AuthorizationData::key
std::string key
Definition: CredentialStore.cc:286
Skims_PA_cff.name
name
Definition: Skims_PA_cff.py:17
relval_steps.gen
def gen(fragment, howMuch)
Production test section ####.
Definition: relval_steps.py:504
dqm-mbProfile.log
log
Definition: dqm-mbProfile.py:17
cond::persistency::throwException
void throwException(const std::string &message, const std::string &methodName)
Definition: Exception.cc:12
data
char data[epos_bytes_allocation]
Definition: EPOS_Wrapper.h:79
cond::CredentialStore::resetAdmin
bool resetAdmin(const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:945
coral_bridge::AuthenticationCredentialSet::import
void import(const AuthenticationCredentialSet &data)
Definition: CredentialStore.cc:85
cond::CredentialStore::selectPermissions
bool selectPermissions(const std::string &principalName, const std::string &role, const std::string &connectionString, std::vector< Permission > &destination)
Definition: CredentialStore.cc:1414
cond::schemaLabel
std::string schemaLabel(const std::string &serviceName, const std::string &userName)
Definition: CredentialStore.cc:167
Auth.h
reset
void reset(double vett[256])
Definition: TPedValues.cc:11
contentValuesFiles.query
query
Definition: contentValuesFiles.py:38
cond::CredentialData
Definition: CredentialStore.cc:238
cond::auth::Cipher
Definition: Cipher.h:13
castor_dqm_sourceclient_file_cfg.path
path
Definition: castor_dqm_sourceclient_file_cfg.py:37
genParticles_cff.map
map
Definition: genParticles_cff.py:11
cond::CredentialStore::setPermission
bool setPermission(const std::string &principal, const std::string &role, const std::string &connectionString, const std::string &connectionLabel)
Definition: CredentialStore.cc:1021
cond::CredentialStore::unsetPermission
bool unsetPermission(const std::string &principal, const std::string &role, const std::string &connectionString)
Definition: CredentialStore.cc:1061
c
auto & c
Definition: CAHitNtupletGeneratorKernelsImpl.h:46
cond::CSScopedSession::start
void start(bool readOnly=true)
Definition: CredentialStore.cc:191
cond::auth::ROLES
static const std::set< std::string > ROLES
Definition: Auth.h:21
l1RCTOmdsFedVectorProducer_cfi.connectionString
connectionString
Definition: l1RCTOmdsFedVectorProducer_cfi.py:4
cond::CredentialData::CredentialData
CredentialData()
Definition: CredentialStore.cc:244
crabWrapper.key
key
Definition: crabWrapper.py:19
cond::PrincipalData::principalKey
std::string principalKey
Definition: CredentialStore.cc:201
cond::setPermissionData
bool setPermissionData(const std::string &schemaVersion, coral::ISchema &schema, int principalId, const std::string &principalKey, const std::string &role, const std::string &connectionString, int connectionId, const std::string &connectionKey, std::stringstream &log)
Definition: CredentialStore.cc:428
SEQUENCE_VALUE_COL
static const std::string SEQUENCE_VALUE_COL("VALUE")
cond::CredentialStore::Permission::principalName
std::string principalName
Definition: CredentialStore.h:129
hcallasereventfilter2012_cfi.prefix
prefix
Definition: hcallasereventfilter2012_cfi.py:10
cond::schemaLabelForCredentialStore
std::string schemaLabelForCredentialStore(const std::string &connectionString)
Definition: CredentialStore.cc:176
cond::auth::COND_DB_KEY_SIZE
static constexpr unsigned int COND_DB_KEY_SIZE
Definition: Auth.h:31
GetRecoTauVFromDQM_MC_cff.next
next
Definition: GetRecoTauVFromDQM_MC_cff.py:31
cond::CredentialStore::openSession
void openSession(const std::string &schemaName, const std::string &userName, const std::string &password, bool readMode)
Definition: CredentialStore.cc:590
MillePedeFileConverter_cfg.e
e
Definition: MillePedeFileConverter_cfg.py:37
cond::throwException
void throwException(const std::string &message, const std::string &methodName)
Definition: Exception.cc:18
cond::CredentialData::id
int id
Definition: CredentialStore.cc:239
cond::CSScopedSession::close
void close()
Definition: CredentialStore.cc:192
cond::CredentialStore::Permission
Definition: CredentialStore.h:128
cond::CSScopedSession::startSuper
void startSuper(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:188
Generated for CMSSW Reference Manual by doxygen 1.8.16