CMS 3D CMS Logo
CredentialStore.cc
Go to the documentation of this file.
1 #include "CondCore/CondDB/interface/CredentialStore.h"
2 #include "CondCore/CondDB/interface/Cipher.h"
3 #include "CondCore/CondDB/interface/Exception.h"
4 #include "CondCore/CondDB/interface/Auth.h"
5 //
6 #include "CoralBase/AttributeList.h"
7 #include "CoralBase/Attribute.h"
8 #include "CoralKernel/Context.h"
9 #include "CoralCommon/URIParser.h"
10 #include "RelationalAccess/AuthenticationCredentials.h"
11 #include "RelationalAccess/IBulkOperation.h"
12 #include "RelationalAccess/IConnection.h"
13 #include "RelationalAccess/ISession.h"
14 #include "RelationalAccess/IRelationalService.h"
15 #include "RelationalAccess/IRelationalDomain.h"
16 #include "RelationalAccess/ITransaction.h"
17 #include "RelationalAccess/ISchema.h"
18 #include "RelationalAccess/ITable.h"
19 #include "RelationalAccess/TableDescription.h"
20 #include "RelationalAccess/ITableDataEditor.h"
21 #include "RelationalAccess/ITablePrivilegeManager.h"
22 #include "RelationalAccess/IQuery.h"
23 #include "RelationalAccess/ICursor.h"
24 //
25 #include "RelationalAccess/AuthenticationCredentials.h"
26 //
27 #include <filesystem>
28 #include <fstream>
29 #include <sstream>
30 
31 static const std::string serviceName = "CondAuthenticationService";
32 
33 coral_bridge::AuthenticationCredentialSet::AuthenticationCredentialSet() : m_data() {}
34 
35 coral_bridge::AuthenticationCredentialSet::~AuthenticationCredentialSet() { reset(); }
36 
37 void coral_bridge::AuthenticationCredentialSet::reset() {
38  for (auto iData = m_data.begin(); iData != m_data.end(); ++iData)
39  delete iData->second;
40  m_data.clear();
41 }
42 
43 void coral_bridge::AuthenticationCredentialSet::registerItem(const std::string& connectionString,
44  const std::string& itemName,
45  const std::string& itemValue) {
46  registerItem(connectionString, cond::auth::COND_DEFAULT_ROLE, itemName, itemValue);
47 }
48 
49 void coral_bridge::AuthenticationCredentialSet::registerItem(const std::string& connectionString,
50  const std::string& role,
51  const std::string& itemName,
52  const std::string& itemValue) {
53  std::pair<std::string, std::string> connKey(connectionString, role);
54  std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::iterator iData =
55  m_data.find(connKey);
56  if (iData == m_data.end()) {
57  iData = m_data.insert(std::make_pair(connKey, new coral::AuthenticationCredentials(serviceName))).first;
58  }
59  iData = m_data.insert(std::make_pair(connKey, new coral::AuthenticationCredentials(serviceName))).first;
60  iData->second->registerItem(itemName, itemValue);
61 }
62 
63 void coral_bridge::AuthenticationCredentialSet::registerCredentials(const std::string& connectionString,
64  const std::string& userName,
65  const std::string& password) {
66  registerCredentials(connectionString, cond::auth::COND_DEFAULT_ROLE, userName, password);
67 }
68 
69 void coral_bridge::AuthenticationCredentialSet::registerCredentials(const std::string& connectionString,
70  const std::string& role,
71  const std::string& userName,
72  const std::string& password) {
73  std::pair<std::string, std::string> connKey(connectionString, role);
74  std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::iterator iData =
75  m_data.find(connKey);
76  if (iData != m_data.end()) {
77  delete iData->second;
78  m_data.erase(connKey);
79  }
80  iData = m_data.insert(std::make_pair(connKey, new coral::AuthenticationCredentials(serviceName))).first;
81  iData->second->registerItem(coral::IAuthenticationCredentials::userItem(), userName);
82  iData->second->registerItem(coral::IAuthenticationCredentials::passwordItem(), password);
83 }
84 
85 void coral_bridge::AuthenticationCredentialSet::import(const AuthenticationCredentialSet& data) {
86  for (std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::const_iterator iData =
87  data.m_data.begin();
88  iData != data.m_data.end();
89  ++iData) {
90  registerCredentials(iData->first.first,
91  iData->first.second,
92  iData->second->valueForItem(coral::IAuthenticationCredentials::userItem()),
93  iData->second->valueForItem(coral::IAuthenticationCredentials::passwordItem()));
94  }
95 }
96 
97 const coral::IAuthenticationCredentials* coral_bridge::AuthenticationCredentialSet::get(
98  const std::string& connectionString) const {
99  return get(connectionString, cond::auth::COND_DEFAULT_ROLE);
100 }
101 
102 const coral::IAuthenticationCredentials* coral_bridge::AuthenticationCredentialSet::get(
103  const std::string& connectionString, const std::string& role) const {
104  const coral::IAuthenticationCredentials* ret = nullptr;
105  std::pair<std::string, std::string> connKey(connectionString, role);
106  std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::const_iterator iData =
107  m_data.find(connKey);
108  if (iData != m_data.end()) {
109  ret = iData->second;
110  }
111  return ret;
112 }
113 
114 const std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>&
115 coral_bridge::AuthenticationCredentialSet::data() const {
116  return m_data;
117 }
118 
119 static const std::string TABLE_PREFIX("DB_");
120 static const std::string LEGACY_TABLE_PREFIX("COND_");
121 static const std::string SEQUENCE_TABLE("CREDENTIAL_SEQUENCE");
122 static const std::string SEQUENCE_NAME_COL("NAME");
123 static const std::string SEQUENCE_VALUE_COL("VALUE");
124 
125 static const std::string AUTHENTICATION_TABLE("AUTHENTICATION");
126 static const std::string PRINCIPAL_ID_COL("P_ID");
127 static const std::string PRINCIPAL_NAME_COL("P_NAME");
128 static const std::string VERIFICATION_COL("CRED0");
129 static const std::string PRINCIPAL_KEY_COL("CRED1");
130 static const std::string ADMIN_KEY_COL("CRED2");
131 
132 static const std::string AUTHORIZATION_TABLE("AUTHORIZATION");
133 static const std::string AUTH_ID_COL("AUTH_ID");
134 static const std::string P_ID_COL("P_ID");
135 static const std::string ROLE_COL("C_ROLE");
136 static const std::string SCHEMA_COL("C_SCHEMA");
137 static const std::string AUTH_KEY_COL("CRED3");
138 static const std::string C_ID_COL("C_ID");
139 
140 static const std::string CREDENTIAL_TABLE("CREDENTIAL");
141 static const std::string CONNECTION_ID_COL("CONN_ID");
142 static const std::string CONNECTION_LABEL_COL("CONN_LABEL");
143 static const std::string USERNAME_COL("CRED4");
144 static const std::string PASSWORD_COL("CRED5");
145 static const std::string VERIFICATION_KEY_COL("CRED6");
146 static const std::string CONNECTION_KEY_COL("CRED7");
147 
148 const std::string DEFAULT_DATA_SOURCE("Cond_Default_Authentication");
149 
150 std::string tname(const std::string& tableName, const std::string& schemaVersion) {
151  std::string prefix(TABLE_PREFIX);
152  if (schemaVersion.empty())
153  prefix = LEGACY_TABLE_PREFIX;
154  return prefix + tableName;
155 }
156 
157 // implementation functions and helpers
158 namespace cond {
159 
160  std::string schemaLabel(const std::string& serviceName, const std::string& userName) {
161  std::string ret = userName;
162  if (!serviceName.empty()) {
163  ret += "@" + serviceName;
164  ret = to_lower(ret);
165  }
166  return ret;
167  }
168 
169  std::string schemaLabelForCredentialStore(const std::string& connectionString) {
170  coral::URIParser parser;
171  parser.setURI(connectionString);
172  std::string serviceName = parser.hostName();
173  std::string schemaName = parser.databaseOrSchemaName();
174  return schemaLabel(serviceName, schemaName);
175  }
176 
177  class CSScopedSession {
178  public:
179  CSScopedSession(CredentialStore& store) : m_store(store) {}
180  ~CSScopedSession() { m_store.closeSession(false); }
181  void startSuper(const std::string& connectionString, const std::string& userName, const std::string& password) {
182  m_store.startSuperSession(connectionString, userName, password);
183  }
184  void start(bool readOnly = true) { m_store.startSession(readOnly); }
185  void close() { m_store.closeSession(); }
186 
187  private:
188  CredentialStore& m_store;
189  };
190 
191  struct PrincipalData {
192  int id;
193  std::string verifKey;
194  std::string principalKey;
195  std::string adminKey;
196  PrincipalData() : id(-1), verifKey(""), principalKey(""), adminKey("") {}
197  };
198  bool selectPrincipal(const std::string& schemaVersion,
199  coral::ISchema& schema,
200  const std::string& principal,
201  PrincipalData& destination) {
202  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(AUTHENTICATION_TABLE, schemaVersion)).newQuery());
203  coral::AttributeList readBuff;
204  readBuff.extend<int>(PRINCIPAL_ID_COL);
205  readBuff.extend<std::string>(VERIFICATION_COL);
206  readBuff.extend<std::string>(PRINCIPAL_KEY_COL);
207  readBuff.extend<std::string>(ADMIN_KEY_COL);
208  coral::AttributeList whereData;
209  whereData.extend<std::string>(PRINCIPAL_NAME_COL);
210  whereData[PRINCIPAL_NAME_COL].data<std::string>() = principal;
211  std::string whereClause = PRINCIPAL_NAME_COL + " = :" + PRINCIPAL_NAME_COL;
212  query->defineOutput(readBuff);
213  query->addToOutputList(PRINCIPAL_ID_COL);
214  query->addToOutputList(VERIFICATION_COL);
215  query->addToOutputList(PRINCIPAL_KEY_COL);
216  query->addToOutputList(ADMIN_KEY_COL);
217  query->setCondition(whereClause, whereData);
218  coral::ICursor& cursor = query->execute();
219  bool found = false;
220  if (cursor.next()) {
221  found = true;
222  const coral::AttributeList& row = cursor.currentRow();
223  destination.id = row[PRINCIPAL_ID_COL].data<int>();
224  destination.verifKey = row[VERIFICATION_COL].data<std::string>();
225  destination.principalKey = row[PRINCIPAL_KEY_COL].data<std::string>();
226  destination.adminKey = row[ADMIN_KEY_COL].data<std::string>();
227  }
228  return found;
229  }
230 
231  struct CredentialData {
232  int id;
233  std::string userName;
234  std::string password;
235  std::string connectionKey;
236  std::string verificationKey;
237  CredentialData() : id(-1), userName(""), password(""), connectionKey("") {}
238  };
239 
240  bool selectConnection(const std::string& schemaVersion,
241  coral::ISchema& schema,
242  const std::string& connectionLabel,
243  CredentialData& destination) {
244  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(CREDENTIAL_TABLE, schemaVersion)).newQuery());
245  coral::AttributeList readBuff;
246  readBuff.extend<int>(CONNECTION_ID_COL);
247  readBuff.extend<std::string>(USERNAME_COL);
248  readBuff.extend<std::string>(PASSWORD_COL);
249  readBuff.extend<std::string>(VERIFICATION_KEY_COL);
250  readBuff.extend<std::string>(CONNECTION_KEY_COL);
251  coral::AttributeList whereData;
252  whereData.extend<std::string>(CONNECTION_LABEL_COL);
253  whereData[CONNECTION_LABEL_COL].data<std::string>() = connectionLabel;
254  std::string whereClause = CONNECTION_LABEL_COL + " = :" + CONNECTION_LABEL_COL;
255  query->defineOutput(readBuff);
256  query->addToOutputList(CONNECTION_ID_COL);
257  query->addToOutputList(USERNAME_COL);
258  query->addToOutputList(PASSWORD_COL);
259  query->addToOutputList(VERIFICATION_KEY_COL);
260  query->addToOutputList(CONNECTION_KEY_COL);
261  query->setCondition(whereClause, whereData);
262  coral::ICursor& cursor = query->execute();
263  bool found = false;
264  if (cursor.next()) {
265  const coral::AttributeList& row = cursor.currentRow();
266  destination.id = row[CONNECTION_ID_COL].data<int>();
267  destination.userName = row[USERNAME_COL].data<std::string>();
268  destination.password = row[PASSWORD_COL].data<std::string>();
269  destination.verificationKey = row[VERIFICATION_KEY_COL].data<std::string>();
270  destination.connectionKey = row[CONNECTION_KEY_COL].data<std::string>();
271  found = true;
272  }
273  return found;
274  }
275 
276  struct AuthorizationData {
277  int id;
278  int connectionId;
279  std::string key;
280  AuthorizationData() : id(-1), connectionId(-1), key("") {}
281  };
282 
283  bool selectAuthorization(const std::string& schemaVersion,
284  coral::ISchema& schema,
285  int principalId,
286  const std::string& role,
287  const std::string& connectionString,
288  AuthorizationData& destination) {
289  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(AUTHORIZATION_TABLE, schemaVersion)).newQuery());
290  coral::AttributeList readBuff;
291  readBuff.extend<int>(AUTH_ID_COL);
292  readBuff.extend<int>(C_ID_COL);
293  readBuff.extend<std::string>(AUTH_KEY_COL);
294  coral::AttributeList whereData;
295  whereData.extend<int>(P_ID_COL);
296  whereData.extend<std::string>(ROLE_COL);
297  whereData.extend<std::string>(SCHEMA_COL);
298  whereData[P_ID_COL].data<int>() = principalId;
299  whereData[ROLE_COL].data<std::string>() = role;
300  whereData[SCHEMA_COL].data<std::string>() = to_lower(connectionString);
301  std::stringstream whereClause;
302  whereClause << P_ID_COL << " = :" << P_ID_COL;
303  whereClause << " AND " << ROLE_COL << " = :" << ROLE_COL;
304  whereClause << " AND " << SCHEMA_COL << " = :" << SCHEMA_COL;
305  query->defineOutput(readBuff);
306  query->addToOutputList(AUTH_ID_COL);
307  query->addToOutputList(C_ID_COL);
308  query->addToOutputList(AUTH_KEY_COL);
309  query->setCondition(whereClause.str(), whereData);
310  coral::ICursor& cursor = query->execute();
311  bool found = false;
312  if (cursor.next()) {
313  const coral::AttributeList& row = cursor.currentRow();
314  destination.id = row[AUTH_ID_COL].data<int>();
315  destination.connectionId = row[C_ID_COL].data<int>();
316  destination.key = row[AUTH_KEY_COL].data<std::string>();
317  found = true;
318  }
319  return found;
320  }
321 
322  size_t getAuthorizationEntries(const std::string& schemaVersion,
323  coral::ISchema& schema,
324  int principalId,
325  const std::string& role,
326  const std::string& connectionString) {
327  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(AUTHORIZATION_TABLE, schemaVersion)).newQuery());
328  coral::AttributeList readBuff;
329  readBuff.extend<int>(AUTH_ID_COL);
330  coral::AttributeList whereData;
331  whereData.extend<std::string>(SCHEMA_COL);
332  std::stringstream whereClause;
333  whereClause << SCHEMA_COL << " = :" << SCHEMA_COL;
334  if (principalId >= 0) {
335  whereData.extend<int>(P_ID_COL);
336  whereClause << "AND" << P_ID_COL << " = :" << P_ID_COL;
337  }
338  if (!role.empty()) {
339  whereData.extend<std::string>(ROLE_COL);
340  whereClause << " AND " << ROLE_COL << " = :" << ROLE_COL;
341  }
342  whereData[SCHEMA_COL].data<std::string>() = connectionString;
343  if (principalId >= 0)
344  whereData[P_ID_COL].data<int>() = principalId;
345  if (!role.empty())
346  whereData[ROLE_COL].data<std::string>() = role;
347  query->defineOutput(readBuff);
348  query->addToOutputList(AUTH_ID_COL);
349  query->setCondition(whereClause.str(), whereData);
350  coral::ICursor& cursor = query->execute();
351  size_t n_entries = 0;
352  while (cursor.next()) {
353  n_entries += 1;
354  }
355  return n_entries;
356  }
357 
358  bool getNextSequenceValue(const std::string& schemaVersion,
359  coral::ISchema& schema,
360  const std::string& sequenceName,
361  int& value) {
362  bool ret = false;
363  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(SEQUENCE_TABLE, schemaVersion)).newQuery());
364  query->limitReturnedRows(1, 0);
365  query->addToOutputList(SEQUENCE_VALUE_COL);
366  query->defineOutputType(SEQUENCE_VALUE_COL, coral::AttributeSpecification::typeNameForType<int>());
367  query->setForUpdate();
368  std::string whereClause(SEQUENCE_NAME_COL + " = :" + SEQUENCE_NAME_COL);
369  coral::AttributeList rowData;
370  rowData.extend<std::string>(SEQUENCE_NAME_COL);
371  rowData.begin()->data<std::string>() = sequenceName;
372  query->setCondition(whereClause, rowData);
373  coral::ICursor& cursor = query->execute();
374  if (cursor.next()) {
375  value = cursor.currentRow().begin()->data<int>() + 1;
376  ret = true;
377  } else {
378  return false;
379  }
380  // update...
381  coral::AttributeList updateData;
382  updateData.extend<std::string>(SEQUENCE_NAME_COL);
383  updateData.extend<int>(SEQUENCE_VALUE_COL);
384  std::string setClause(SEQUENCE_VALUE_COL + " = :" + SEQUENCE_VALUE_COL);
385  std::string whClause(SEQUENCE_NAME_COL + " = :" + SEQUENCE_NAME_COL);
386  coral::AttributeList::iterator iAttribute = updateData.begin();
387  iAttribute->data<std::string>() = sequenceName;
388  ++iAttribute;
389  iAttribute->data<int>() = value;
390  schema.tableHandle(tname(SEQUENCE_TABLE, schemaVersion)).dataEditor().updateRows(setClause, whClause, updateData);
391  return ret;
392  }
393 
394  std::pair<int, std::string> updatePrincipalData(const std::string& schemaVersion,
395  coral::ISchema& schema,
396  const std::string& authenticationKey,
397  const std::string& principalName,
398  const std::string& adminKey,
399  bool init ,
400  std::stringstream& log) {
401  PrincipalData princData;
402  bool found = selectPrincipal(schemaVersion, schema, principalName, princData);
403 
404  auth::Cipher cipher0(authenticationKey);
405  auth::Cipher cipher1(adminKey);
406 
407  std::string verifStr = cipher0.b64encrypt(principalName);
408  std::string principalKey("");
409  int principalId = princData.id;
410 
411  std::string authentication_table_name = tname(AUTHENTICATION_TABLE, schemaVersion);
412 
413  coral::ITableDataEditor& editor = schema.tableHandle(authentication_table_name).dataEditor();
414  if (found) {
415  log << "Updating existing principal " << principalName << " (id: " << principalId << " )" << std::endl;
416  principalKey = cipher1.b64decrypt(princData.adminKey);
417  coral::AttributeList updateData;
418  updateData.extend<int>(PRINCIPAL_ID_COL);
419  updateData.extend<std::string>(VERIFICATION_COL);
420  updateData.extend<std::string>(PRINCIPAL_KEY_COL);
421  updateData.extend<std::string>(ADMIN_KEY_COL);
422  updateData[PRINCIPAL_ID_COL].data<int>() = principalId;
423  updateData[VERIFICATION_COL].data<std::string>() = verifStr;
424  updateData[PRINCIPAL_KEY_COL].data<std::string>() = cipher0.b64encrypt(principalKey);
425  updateData[ADMIN_KEY_COL].data<std::string>() = cipher1.b64encrypt(principalKey);
426  std::stringstream setClause;
427  setClause << VERIFICATION_COL << " = :" << VERIFICATION_COL << ", ";
428  setClause << PRINCIPAL_KEY_COL << " = :" << PRINCIPAL_KEY_COL << ", ";
429  setClause << ADMIN_KEY_COL << " = :" << ADMIN_KEY_COL;
430  std::string whereClause = PRINCIPAL_ID_COL + " = :" + PRINCIPAL_ID_COL;
431  editor.updateRows(setClause.str(), whereClause, updateData);
432  } else {
433  if (init) {
434  principalKey = adminKey;
435  } else {
436  auth::KeyGenerator gen;
437  principalKey = gen.make(auth::COND_DB_KEY_SIZE);
438  }
439  coral::ITableDataEditor& editor0 = schema.tableHandle(authentication_table_name).dataEditor();
440 
441  if (!getNextSequenceValue(schemaVersion, schema, authentication_table_name, principalId))
442  throwException("Can't find " + authentication_table_name + " sequence.", "CredentialStore::updatePrincipal");
443  log << "Creating new principal " << principalName << " (id: " << principalId << " )" << std::endl;
444  coral::AttributeList authData;
445  editor0.rowBuffer(authData);
446  authData[PRINCIPAL_ID_COL].data<int>() = principalId;
447  authData[PRINCIPAL_NAME_COL].data<std::string>() = principalName;
448  authData[VERIFICATION_COL].data<std::string>() = verifStr;
449  authData[PRINCIPAL_KEY_COL].data<std::string>() = cipher0.b64encrypt(principalKey);
450  authData[ADMIN_KEY_COL].data<std::string>() = cipher1.b64encrypt(principalKey);
451  editor0.insertRow(authData);
452  }
453 
454  return std::make_pair(principalId, principalKey);
455  }
456 
457  bool setPermissionData(const std::string& schemaVersion,
458  coral::ISchema& schema,
459  int principalId,
460  const std::string& principalKey,
461  const std::string& role,
462  const std::string& connectionString,
463  int connectionId,
464  const std::string& connectionKey,
465  std::stringstream& log) {
466  if (cond::auth::ROLES.find(role) == cond::auth::ROLES.end()) {
467  throwException(std::string("Role ") + role + " does not exists.", "CredentialStore::setPermission");
468  }
469  auth::Cipher cipher(principalKey);
470  std::string encryptedConnectionKey = cipher.b64encrypt(connectionKey);
471  AuthorizationData authData;
472  bool found = selectAuthorization(schemaVersion, schema, principalId, role, connectionString, authData);
473 
474  std::string authorization_table_name = tname(AUTHORIZATION_TABLE, schemaVersion);
475  coral::ITableDataEditor& editor = schema.tableHandle(authorization_table_name).dataEditor();
476  if (found) {
477  log << "Updating permission for principal id " << principalId << " to access resource " << connectionString
478  << " with role " << role << std::endl;
479  coral::AttributeList updateData;
480  updateData.extend<int>(AUTH_ID_COL);
481  updateData.extend<int>(C_ID_COL);
482  updateData.extend<std::string>(AUTH_KEY_COL);
483  updateData[AUTH_ID_COL].data<int>() = authData.id;
484  updateData[C_ID_COL].data<int>() = connectionId;
485  updateData[AUTH_KEY_COL].data<std::string>() = encryptedConnectionKey;
486  std::string setCl = C_ID_COL + " = :" + C_ID_COL + ", " + AUTH_KEY_COL + " = :" + AUTH_KEY_COL;
487  std::string whereCl = AUTH_ID_COL + " = :" + AUTH_ID_COL;
488  editor.updateRows(setCl, whereCl, updateData);
489  } else {
490  int next = -1;
491  if (!getNextSequenceValue(schemaVersion, schema, authorization_table_name, next))
492  throwException("Can't find " + authorization_table_name + " sequence.", "CredentialStore::setPermission");
493  log << "Setting permission for principal id " << principalId << " to access resource " << connectionString
494  << " with role " << role << std::endl;
495  coral::AttributeList insertData;
496  insertData.extend<int>(AUTH_ID_COL);
497  insertData.extend<int>(P_ID_COL);
498  insertData.extend<std::string>(ROLE_COL);
499  insertData.extend<std::string>(SCHEMA_COL);
500  insertData.extend<std::string>(AUTH_KEY_COL);
501  insertData.extend<int>(C_ID_COL);
502  insertData[AUTH_ID_COL].data<int>() = next;
503  insertData[P_ID_COL].data<int>() = principalId;
504  insertData[ROLE_COL].data<std::string>() = role;
505  insertData[SCHEMA_COL].data<std::string>() = to_lower(connectionString);
506  insertData[AUTH_KEY_COL].data<std::string>() = encryptedConnectionKey;
507  insertData[C_ID_COL].data<int>() = connectionId;
508  editor.insertRow(insertData);
509  }
510  return true;
511  }
512 
513  std::pair<int, std::string> updateConnectionData(const std::string& schemaVersion,
514  coral::ISchema& schema,
515  const std::string& adminKey,
516  const std::string& connectionLabel,
517  const std::string& userName,
518  const std::string& password,
519  bool forceUpdate,
520  std::stringstream& log) {
521  CredentialData credsData;
522  bool found = selectConnection(schemaVersion, schema, connectionLabel, credsData);
523  int connId = credsData.id;
524 
525  auth::Cipher adminCipher(adminKey);
526  std::string connectionKey("");
527  std::string credential_table_name = tname(CREDENTIAL_TABLE, schemaVersion);
528  coral::ITableDataEditor& editor = schema.tableHandle(credential_table_name).dataEditor();
529  if (found) {
530  connectionKey = adminCipher.b64decrypt(credsData.connectionKey);
531  auth::Cipher cipher(connectionKey);
532  std::string verificationKey = cipher.b64decrypt(credsData.verificationKey);
533  if (verificationKey != connectionLabel) {
534  throwException("Decoding of connection key failed.", "CredentialStore::updateConnection");
535  }
536  if (forceUpdate) {
537  std::string encryptedUserName = cipher.b64encrypt(userName);
538  std::string encryptedPassword = cipher.b64encrypt(password);
539  log << "Forcing update of connection " << connectionLabel << std::endl;
540  coral::AttributeList updateData;
541  updateData.extend<int>(CONNECTION_ID_COL);
542  updateData.extend<std::string>(USERNAME_COL);
543  updateData.extend<std::string>(PASSWORD_COL);
544  updateData[CONNECTION_ID_COL].data<int>() = connId;
545  updateData[USERNAME_COL].data<std::string>() = encryptedUserName;
546  updateData[PASSWORD_COL].data<std::string>() = encryptedPassword;
547  std::stringstream setCl;
548  setCl << USERNAME_COL << " = :" << USERNAME_COL;
549  setCl << ", " << PASSWORD_COL << " = :" << PASSWORD_COL;
550  std::string whereCl = CONNECTION_ID_COL + " = :" + CONNECTION_ID_COL;
551  editor.updateRows(setCl.str(), whereCl, updateData);
552  }
553  } else {
554  auth::KeyGenerator gen;
555  connectionKey = gen.make(auth::COND_DB_KEY_SIZE);
556  auth::Cipher cipher(connectionKey);
557  std::string encryptedUserName = cipher.b64encrypt(userName);
558  std::string encryptedPassword = cipher.b64encrypt(password);
559  std::string encryptedLabel = cipher.b64encrypt(connectionLabel);
560 
561  if (!getNextSequenceValue(schemaVersion, schema, credential_table_name, connId))
562  throwException("Can't find " + credential_table_name + " sequence.", "CredentialStore::updateConnection");
563  log << "Creating new connection " << connectionLabel << std::endl;
564  coral::AttributeList insertData;
565  insertData.extend<int>(CONNECTION_ID_COL);
566  insertData.extend<std::string>(CONNECTION_LABEL_COL);
567  insertData.extend<std::string>(USERNAME_COL);
568  insertData.extend<std::string>(PASSWORD_COL);
569  insertData.extend<std::string>(VERIFICATION_KEY_COL);
570  insertData.extend<std::string>(CONNECTION_KEY_COL);
571  insertData[CONNECTION_ID_COL].data<int>() = connId;
572  insertData[CONNECTION_LABEL_COL].data<std::string>() = connectionLabel;
573  insertData[USERNAME_COL].data<std::string>() = encryptedUserName;
574  insertData[PASSWORD_COL].data<std::string>() = encryptedPassword;
575  insertData[VERIFICATION_KEY_COL].data<std::string>() = encryptedLabel;
576  insertData[CONNECTION_KEY_COL].data<std::string>() = adminCipher.b64encrypt(connectionKey);
577  ;
578  editor.insertRow(insertData);
579  }
580  return std::make_pair(connId, connectionKey);
581  }
582 
583 } // namespace cond
584 
585 // class private methods
586 void cond::CredentialStore::closeSession(bool commit) {
587  if (m_session.get()) {
588  if (m_session->transaction().isActive()) {
589  if (commit) {
590  m_session->transaction().commit();
591  } else {
592  m_session->transaction().rollback();
593  }
594  }
595  m_session->endUserSession();
596  }
597  m_session.reset();
598  if (m_connection.get()) {
599  m_connection->disconnect();
600  }
601  m_connection.reset();
602  m_log << "Session has been closed." << std::endl;
603 }
604 
605 std::pair<std::string, std::string> cond::CredentialStore::openConnection(const std::string& connectionString) {
606  coral::IHandle<coral::IRelationalService> relationalService =
607  coral::Context::instance().query<coral::IRelationalService>();
608  if (!relationalService.isValid()) {
609  coral::Context::instance().loadComponent("CORAL/Services/RelationalService");
610  relationalService = coral::Context::instance().query<coral::IRelationalService>();
611  }
612  coral::IRelationalDomain& domain = relationalService->domainForConnection(connectionString);
613  std::pair<std::string, std::string> connTokens = domain.decodeUserConnectionString(connectionString);
614  m_connection.reset(domain.newConnection(connTokens.first));
615  m_connection->connect();
616  return connTokens;
617 }
618 
619 void cond::CredentialStore::openSession(const std::string& schemaName,
620  const std::string& userName,
621  const std::string& password,
622  bool readMode) {
623  coral::AccessMode accessMode = coral::ReadOnly;
624  if (!readMode)
625  accessMode = coral::Update;
626  m_session.reset(m_connection->newSession(schemaName, accessMode));
627  m_session->startUserSession(userName, password);
628  // open read-only transaction
629  m_session->transaction().start(readMode);
630  m_log << "New session opened." << std::endl;
631 }
632 
633 void cond::CredentialStore::startSuperSession(const std::string& connectionString,
634  const std::string& userName,
635  const std::string& password) {
636  std::pair<std::string, std::string> connTokens = openConnection(connectionString);
637  openSession(connTokens.second, userName, password, false);
638 }
639 
640 // open session on the storage
641 void cond::CredentialStore::startSession(bool readMode) {
642  if (!m_serviceData) {
643  throwException("The credential store has not been initialized.", "cond::CredentialStore::openConnection");
644  }
645  const std::string& storeConnectionString = m_serviceData->connectionString;
646 
647  std::pair<std::string, std::string> connTokens = openConnection(storeConnectionString);
648 
649  const std::string& userName = m_serviceData->userName;
650  const std::string& password = m_serviceData->password;
651 
652  openSession(connTokens.second, userName, password, true);
653 
654  coral::ISchema& schema = m_session->nominalSchema();
655  const std::string& schemaVersion = m_key.version();
656  if (!schema.existsTable(tname(AUTHENTICATION_TABLE, schemaVersion)) ||
657  !schema.existsTable(tname(AUTHORIZATION_TABLE, schemaVersion)) ||
658  !schema.existsTable(tname(CREDENTIAL_TABLE, schemaVersion))) {
659  throwException("Credential database does not exists in \"" + storeConnectionString + "\"",
660  "CredentialStore::startSession");
661  }
662 
663  const std::string& principalName = m_key.principalName();
664  // now authenticate...
665  PrincipalData princData;
666  if (!selectPrincipal(schemaVersion, m_session->nominalSchema(), principalName, princData)) {
667  throwException("Invalid credentials provided.(0)", "CredentialStore::startSession");
668  }
669  auth::Cipher cipher0(m_key.principalKey());
670  std::string verifStr = cipher0.b64decrypt(princData.verifKey);
671  if (verifStr != principalName) {
672  throwException("Invalid credentials provided (1)", "CredentialStore::startSession");
673  }
674  // ok, authenticated!
675  m_principalId = princData.id;
676  m_principalKey = cipher0.b64decrypt(princData.principalKey);
677  m_authenticatedPrincipal = m_key.principalName();
678 
679  if (!readMode) {
680  auth::Cipher cipher0(m_principalKey);
681  std::string adminKey = cipher0.b64decrypt(princData.adminKey);
682  if (adminKey != m_principalKey) {
683  // not admin user!
684  throwException("Provided credentials does not allow admin operation.", "CredentialStore::openSession");
685  }
686 
687  // first find the credentials for WRITING in the security tables
688  std::unique_ptr<coral::IQuery> query(schema.newQuery());
689  query->addToTableList(tname(AUTHORIZATION_TABLE, schemaVersion), "AUTHO");
690  query->addToTableList(tname(CREDENTIAL_TABLE, schemaVersion), "CREDS");
691  coral::AttributeList readBuff;
692  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
693  readBuff.extend<std::string>("CREDS." + CONNECTION_KEY_COL);
694  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
695  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
696  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
697  coral::AttributeList whereData;
698  whereData.extend<int>(P_ID_COL);
699  whereData.extend<std::string>(ROLE_COL);
700  whereData.extend<std::string>(SCHEMA_COL);
701  whereData[P_ID_COL].data<int>() = m_principalId;
702  whereData[ROLE_COL].data<std::string>() = auth::COND_ADMIN_ROLE;
703  whereData[SCHEMA_COL].data<std::string>() = storeConnectionString;
704  std::stringstream whereClause;
705  whereClause << "AUTHO." << C_ID_COL << " = CREDS." << CONNECTION_ID_COL;
706  whereClause << " AND AUTHO." << P_ID_COL << " = :" << P_ID_COL;
707  whereClause << " AND AUTHO." << ROLE_COL << " = :" << ROLE_COL;
708  whereClause << " AND AUTHO." << SCHEMA_COL << " = :" << SCHEMA_COL;
709  query->defineOutput(readBuff);
710  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
711  query->addToOutputList("CREDS." + CONNECTION_KEY_COL);
712  query->addToOutputList("CREDS." + USERNAME_COL);
713  query->addToOutputList("CREDS." + PASSWORD_COL);
714  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
715  query->setCondition(whereClause.str(), whereData);
716  coral::ICursor& cursor = query->execute();
717  bool found = false;
718  std::string writeUserName("");
719  std::string writePassword("");
720  if (cursor.next()) {
721  const coral::AttributeList& row = cursor.currentRow();
722  const std::string& connLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
723  const std::string& encryptedConnectionKey = row["CREDS." + CONNECTION_KEY_COL].data<std::string>();
724  std::string connectionKey = cipher0.b64decrypt(encryptedConnectionKey);
725  auth::Cipher cipher1(connectionKey);
726  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
727  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
728  std::string verificationKey = cipher1.b64decrypt(row["CREDS." + VERIFICATION_KEY_COL].data<std::string>());
729  if (verificationKey != connLabel) {
730  throwException("Could not decrypt credentials.Provided key is invalid.", "CredentialStore::startSession");
731  }
732  writeUserName = cipher1.b64decrypt(encryptedUserName);
733  writePassword = cipher1.b64decrypt(encryptedPassword);
734  found = true;
735  }
736  if (!found) {
737  throwException("Provided credentials are invalid for write access.", "CredentialStore::openSession");
738  }
739  m_session->transaction().commit();
740  m_session->endUserSession();
741  openSession(connTokens.second, writeUserName, writePassword, false);
742  }
743 }
744 
745 // class public methods
746 cond::CredentialStore::CredentialStore()
747  : m_connection(),
748  m_session(),
749  m_authenticatedPrincipal(""),
750  m_principalId(-1),
751  m_principalKey(""),
752  m_serviceName(""),
753  m_serviceData(nullptr),
754  m_key(),
755  m_log() {}
756 
757 cond::CredentialStore::~CredentialStore() {}
758 
759 std::string cond::CredentialStore::setUpForService(const std::string& serviceName, const std::string& authPath) {
760  if (serviceName.empty()) {
761  throwException("Service name has not been provided.", "cond::CredentialStore::setUpConnection");
762  }
763  m_serviceName.clear();
764  m_serviceData = nullptr;
765 
766  if (authPath.empty()) {
767  throwException("The authentication Path has not been provided.", "cond::CredentialStore::setUpForService");
768  }
769  std::filesystem::path fullPath(authPath);
770  if (!std::filesystem::exists(authPath) || !std::filesystem::is_directory(authPath)) {
771  throwException("Authentication Path is invalid.", "cond::CredentialStore::setUpForService");
772  }
773  std::filesystem::path file(auth::DecodingKey::FILE_PATH);
774  fullPath /= file;
775 
776  m_key.init(fullPath.string(), auth::COND_KEY);
777 
778  std::map<std::string, auth::ServiceCredentials>::const_iterator iK = m_key.services().find(serviceName);
779  if (iK == m_key.services().end()) {
780  std::string msg("");
781  msg += "Service \"" + serviceName + "\" can't be open with the current key.";
782  throwException(msg, "cond::CredentialStore::setUpConnection");
783  }
784  m_serviceName = serviceName;
785  m_serviceData = &iK->second;
786  m_log << "Opening Credential Store for service " << m_serviceName << " on " << m_serviceData->connectionString
787  << std::endl;
788  return m_serviceData->connectionString;
789 }
790 
791 std::string cond::CredentialStore::setUpForConnectionString(const std::string& connectionString,
792  const std::string& authPath) {
793  coral::IHandle<coral::IRelationalService> relationalService =
794  coral::Context::instance().query<coral::IRelationalService>();
795  if (!relationalService.isValid()) {
796  coral::Context::instance().loadComponent("CORAL/Services/RelationalService");
797  relationalService = coral::Context::instance().query<coral::IRelationalService>();
798  }
799  coral::IRelationalDomain& domain = relationalService->domainForConnection(connectionString);
800  std::pair<std::string, std::string> connTokens = domain.decodeUserConnectionString(connectionString);
801  std::string& serviceName = connTokens.first;
802  return setUpForService(serviceName, authPath);
803 }
804 
805 void addSequence(const std::string& schemaVersion, coral::ISchema& schema, const std::string& name) {
806  // Create the entry in the table
807  coral::AttributeList insertData;
808  insertData.extend<std::string>(SEQUENCE_NAME_COL);
809  insertData.extend<int>(SEQUENCE_VALUE_COL);
810  coral::AttributeList::iterator iAttribute = insertData.begin();
811  iAttribute->data<std::string>() = name;
812  ++iAttribute;
813  iAttribute->data<int>() = -1;
814  schema.tableHandle(tname(SEQUENCE_TABLE, schemaVersion)).dataEditor().insertRow(insertData);
815 }
816 
817 bool cond::CredentialStore::createSchema(const std::string& connectionString,
818  const std::string& userName,
819  const std::string& password) {
820  CSScopedSession session(*this);
821  session.startSuper(connectionString, userName, password);
822 
823  coral::ISchema& schema = m_session->nominalSchema();
824  std::string authentication_table_name = tname(AUTHENTICATION_TABLE, m_key.version());
825  if (schema.existsTable(authentication_table_name)) {
826  throwException("Credential database, already exists.", "CredentialStore::create");
827  }
828 
829  m_log << "Creating sequence table." << std::endl;
830  std::string sequence_table_name = tname(SEQUENCE_TABLE, m_key.version());
831  coral::TableDescription dseq;
832  dseq.setName(sequence_table_name);
833  dseq.insertColumn(SEQUENCE_NAME_COL, coral::AttributeSpecification::typeNameForType<std::string>());
834  dseq.setNotNullConstraint(SEQUENCE_NAME_COL);
835  dseq.insertColumn(SEQUENCE_VALUE_COL, coral::AttributeSpecification::typeNameForType<int>());
836  dseq.setNotNullConstraint(SEQUENCE_VALUE_COL);
837  dseq.setPrimaryKey(std::vector<std::string>(1, SEQUENCE_NAME_COL));
838  schema.createTable(dseq);
839 
840  int columnSize = 2000;
841 
842  m_log << "Creating authentication table." << std::endl;
843  // authentication table
844  addSequence(m_key.version(), schema, authentication_table_name);
845  coral::TableDescription descr0;
846  descr0.setName(authentication_table_name);
847  descr0.insertColumn(PRINCIPAL_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
848  descr0.insertColumn(
849  PRINCIPAL_NAME_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
850  descr0.insertColumn(
851  VERIFICATION_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
852  descr0.insertColumn(
853  PRINCIPAL_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
854  descr0.insertColumn(ADMIN_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
855  descr0.setNotNullConstraint(PRINCIPAL_ID_COL);
856  descr0.setNotNullConstraint(PRINCIPAL_NAME_COL);
857  descr0.setNotNullConstraint(VERIFICATION_COL);
858  descr0.setNotNullConstraint(PRINCIPAL_KEY_COL);
859  descr0.setNotNullConstraint(ADMIN_KEY_COL);
860  std::vector<std::string> columnsUnique;
861  columnsUnique.push_back(PRINCIPAL_NAME_COL);
862  descr0.setUniqueConstraint(columnsUnique);
863  std::vector<std::string> columnsForIndex;
864  columnsForIndex.push_back(PRINCIPAL_ID_COL);
865  descr0.setPrimaryKey(columnsForIndex);
866  schema.createTable(descr0);
867 
868  m_log << "Creating authorization table." << std::endl;
869  std::string authorization_table_name = tname(AUTHORIZATION_TABLE, m_key.version());
870  // authorization table
871  addSequence(m_key.version(), schema, authorization_table_name);
872  coral::TableDescription descr1;
873  descr1.setName(authorization_table_name);
874  descr1.insertColumn(AUTH_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
875  descr1.insertColumn(P_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
876  descr1.insertColumn(ROLE_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
877  descr1.insertColumn(SCHEMA_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
878  descr1.insertColumn(AUTH_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
879  descr1.insertColumn(C_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
880  descr1.setNotNullConstraint(AUTH_ID_COL);
881  descr1.setNotNullConstraint(P_ID_COL);
882  descr1.setNotNullConstraint(ROLE_COL);
883  descr1.setNotNullConstraint(SCHEMA_COL);
884  descr1.setNotNullConstraint(AUTH_KEY_COL);
885  descr1.setNotNullConstraint(C_ID_COL);
886  columnsUnique.clear();
887  columnsUnique.push_back(P_ID_COL);
888  columnsUnique.push_back(ROLE_COL);
889  columnsUnique.push_back(SCHEMA_COL);
890  descr1.setUniqueConstraint(columnsUnique);
891  columnsForIndex.clear();
892  columnsForIndex.push_back(AUTH_ID_COL);
893  descr1.setPrimaryKey(columnsForIndex);
894  schema.createTable(descr1);
895 
896  m_log << "Creating credential table." << std::endl;
897  std::string credential_table_name = tname(CREDENTIAL_TABLE, m_key.version());
898  // credential table
899  addSequence(m_key.version(), schema, credential_table_name);
900  coral::TableDescription descr2;
901  descr2.setName(credential_table_name);
902  descr2.insertColumn(CONNECTION_ID_COL, coral::AttributeSpecification::typeNameForType<int>());
903  descr2.insertColumn(
904  CONNECTION_LABEL_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
905  descr2.insertColumn(USERNAME_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
906  descr2.insertColumn(PASSWORD_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
907  descr2.insertColumn(
908  VERIFICATION_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
909  descr2.insertColumn(
910  CONNECTION_KEY_COL, coral::AttributeSpecification::typeNameForType<std::string>(), columnSize, false);
911  descr2.setNotNullConstraint(CONNECTION_ID_COL);
912  descr2.setNotNullConstraint(CONNECTION_LABEL_COL);
913  descr2.setNotNullConstraint(USERNAME_COL);
914  descr2.setNotNullConstraint(PASSWORD_COL);
915  descr2.setNotNullConstraint(VERIFICATION_KEY_COL);
916  descr2.setNotNullConstraint(CONNECTION_KEY_COL);
917  columnsUnique.clear();
918  columnsUnique.push_back(CONNECTION_LABEL_COL);
919  descr2.setUniqueConstraint(columnsUnique);
920  columnsForIndex.clear();
921  columnsForIndex.push_back(CONNECTION_ID_COL);
922  descr2.setPrimaryKey(columnsForIndex);
923  schema.createTable(descr2);
924 
925  try {
926  schema.tableHandle(authentication_table_name)
927  .privilegeManager()
928  .grantToUser(m_serviceData->userName, coral::ITablePrivilegeManager::Select);
929  schema.tableHandle(authorization_table_name)
930  .privilegeManager()
931  .grantToUser(m_serviceData->userName, coral::ITablePrivilegeManager::Select);
932  schema.tableHandle(credential_table_name)
933  .privilegeManager()
934  .grantToUser(m_serviceData->userName, coral::ITablePrivilegeManager::Select);
935  } catch (const coral::Exception& e) {
936  std::cout << "WARNING: Could not grant select access to user " << m_serviceData->userName << ": [" << e.what()
937  << "]" << std::endl;
938  }
939  m_log << "Granting ADMIN access permission." << std::endl;
940  auth::KeyGenerator gen;
941  m_principalKey = gen.make(auth::COND_DB_KEY_SIZE);
942  auto princData = updatePrincipalData(
943  m_key.version(), schema, m_key.principalKey(), m_key.principalName(), m_principalKey, true, m_log);
944  std::string credentialAccessLabel = schemaLabel(m_serviceName, userName);
945  auto connParams = updateConnectionData(
946  m_key.version(), schema, m_principalKey, credentialAccessLabel, userName, password, true, m_log);
947  bool ret = setPermissionData(m_key.version(),
948  schema,
949  princData.first,
950  m_principalKey,
951  auth::COND_ADMIN_ROLE,
952  connectionString,
953  connParams.first,
954  connParams.second,
955  m_log);
956  session.close();
957  return ret;
958 }
959 
960 bool cond::CredentialStore::drop(const std::string& connectionString,
961  const std::string& userName,
962  const std::string& password) {
963  CSScopedSession session(*this);
964  session.startSuper(connectionString, userName, password);
965 
966  m_log << "Dropping AUTHORIZATION, CREDENTIAL, AUTHENTICATION and SEQUENCE tables." << std::endl;
967  coral::ISchema& schema = m_session->nominalSchema();
968  schema.dropIfExistsTable(tname(AUTHORIZATION_TABLE, m_key.version()));
969  schema.dropIfExistsTable(tname(CREDENTIAL_TABLE, m_key.version()));
970  schema.dropIfExistsTable(tname(AUTHENTICATION_TABLE, m_key.version()));
971  schema.dropIfExistsTable(tname(SEQUENCE_TABLE, m_key.version()));
972  session.close();
973  return true;
974 }
975 
976 bool cond::CredentialStore::resetAdmin(const std::string& userName, const std::string& password) {
977  if (!m_serviceData) {
978  throwException("The credential store has not been initialized.", "cond::CredentialStore::installAdmin");
979  }
980  const std::string& connectionString = m_serviceData->connectionString;
981 
982  CSScopedSession session(*this);
983  session.startSuper(connectionString, userName, password);
984 
985  coral::ISchema& schema = m_session->nominalSchema();
986  const std::string& principalName = m_key.principalName();
987  const std::string& authenticationKey = m_key.principalKey();
988  PrincipalData princData;
989  if (!selectPrincipal(m_key.version(), schema, principalName, princData)) {
990  std::string msg("User \"");
991  msg += principalName + "\" has not been found.";
992  throwException(msg, "CredentialStore::resetAdmin");
993  }
994  auth::Cipher cipher0(authenticationKey);
995  m_principalKey = cipher0.b64decrypt(princData.principalKey);
996 
997  auto p = updatePrincipalData(m_key.version(), schema, authenticationKey, principalName, m_principalKey, false, m_log);
998  std::string credentialAccessLabel = schemaLabel(m_serviceName, userName);
999  auto connParams = updateConnectionData(
1000  m_key.version(), schema, m_principalKey, credentialAccessLabel, userName, password, true, m_log);
1001  bool ret = setPermissionData(m_key.version(),
1002  schema,
1003  p.first,
1004  m_principalKey,
1005  auth::COND_ADMIN_ROLE,
1006  connectionString,
1007  connParams.first,
1008  connParams.second,
1009  m_log);
1010  session.close();
1011  return ret;
1012 }
1013 
1014 bool cond::CredentialStore::updatePrincipal(const std::string& principalName,
1015  const std::string& authenticationKey,
1016  bool setAdmin) {
1017  CSScopedSession session(*this);
1018  session.start(false);
1019  coral::ISchema& schema = m_session->nominalSchema();
1020  auto princData =
1021  updatePrincipalData(m_key.version(), schema, authenticationKey, principalName, m_principalKey, false, m_log);
1022  bool ret = false;
1023  if (setAdmin) {
1024  int princId = princData.first;
1025  std::string princKey = m_principalKey;
1026  std::string connString = m_serviceData->connectionString;
1027  std::vector<Permission> permissions;
1028  if (!selectPermissions(m_key.principalName(), auth::COND_ADMIN_ROLE, connString, permissions)) {
1029  throwException("The current operating user is not admin user on the underlying Credential Store.",
1030  "CredentialStore::updatePrincipal");
1031  }
1032  std::string connLabel = permissions.front().connectionLabel;
1033  CredentialData credsData;
1034  if (!selectConnection(m_key.version(), schema, connLabel, credsData)) {
1035  throwException("Credential Store connection has not been defined.", "CredentialStore::updatePrincipal");
1036  }
1037  auth::Cipher adminCipher(m_principalKey);
1038  ret = setPermissionData(m_key.version(),
1039  schema,
1040  princId,
1041  princKey,
1042  auth::COND_ADMIN_ROLE,
1043  connString,
1044  credsData.id,
1045  adminCipher.b64decrypt(credsData.connectionKey),
1046  m_log);
1047  }
1048  session.close();
1049  return ret;
1050 }
1051 
1052 bool cond::CredentialStore::setPermission(const std::string& principal,
1053  const std::string& role,
1054  const std::string& connectionString,
1055  const std::string& connectionLabel) {
1056  CSScopedSession session(*this);
1057  session.start(false);
1058 
1059  coral::ISchema& schema = m_session->nominalSchema();
1060 
1061  PrincipalData princData;
1062  bool found = selectPrincipal(m_key.version(), schema, principal, princData);
1063 
1064  if (!found) {
1065  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1066  throwException(msg, "CredentialStore::setPermission");
1067  }
1068 
1069  m_log << "Principal " << principal << " id: " << princData.id << std::endl;
1070  CredentialData credsData;
1071  found = selectConnection(m_key.version(), schema, connectionLabel, credsData);
1072 
1073  if (!found) {
1074  std::string msg = "Connection named \"" + connectionLabel + "\" does not exist in the database.";
1075  throwException(msg, "CredentialStore::setPermission");
1076  }
1077 
1078  auth::Cipher cipher(m_principalKey);
1079  bool ret = setPermissionData(m_key.version(),
1080  schema,
1081  princData.id,
1082  cipher.b64decrypt(princData.adminKey),
1083  role,
1084  connectionString,
1085  credsData.id,
1086  cipher.b64decrypt(credsData.connectionKey),
1087  m_log);
1088  session.close();
1089  return ret;
1090 }
1091 
1092 size_t cond::CredentialStore::unsetPermission(const std::string& principal,
1093  const std::string& role,
1094  const std::string& connectionString) {
1095  if (!role.empty() && cond::auth::ROLES.find(role) == cond::auth::ROLES.end()) {
1096  throwException(std::string("Role ") + role + " does not exists.", "CredentialStore::unsetPermission");
1097  }
1098  CSScopedSession session(*this);
1099  session.start(false);
1100  coral::ISchema& schema = m_session->nominalSchema();
1101 
1102  coral::AttributeList deleteData;
1103  deleteData.extend<std::string>(SCHEMA_COL);
1104  std::stringstream whereClause;
1105  m_log << "Removing permissions to access resource " << connectionString;
1106  if (!role.empty()) {
1107  deleteData.extend<std::string>(ROLE_COL);
1108  m_log << " with role " << role;
1109  }
1110  int princId = -1;
1111  if (!principal.empty()) {
1112  PrincipalData princData;
1113  bool found = selectPrincipal(m_key.version(), schema, principal, princData);
1114 
1115  if (!found) {
1116  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1117  throwException(msg, "CredentialStore::unsetPermission");
1118  }
1119  deleteData.extend<int>(P_ID_COL);
1120  princId = princData.id;
1121  m_log << " by principal " << principal << " (id: " << princData.id << ")";
1122  }
1123 
1124  size_t n_e = getAuthorizationEntries(m_key.version(), schema, princId, role, connectionString);
1125  m_log << ": " << n_e << " authorization entries." << std::endl;
1126  if (n_e) {
1127  deleteData[SCHEMA_COL].data<std::string>() = connectionString;
1128  whereClause << SCHEMA_COL << " = :" << SCHEMA_COL;
1129  if (!role.empty()) {
1130  deleteData[ROLE_COL].data<std::string>() = role;
1131  whereClause << " AND " << ROLE_COL << " = :" << ROLE_COL;
1132  }
1133  if (!principal.empty()) {
1134  deleteData[P_ID_COL].data<int>() = princId;
1135  whereClause << " AND " << P_ID_COL + " = :" + P_ID_COL;
1136  }
1137  coral::ITableDataEditor& editor = schema.tableHandle(tname(AUTHORIZATION_TABLE, m_key.version())).dataEditor();
1138  editor.deleteRows(whereClause.str(), deleteData);
1139  }
1140  session.close();
1141  return n_e;
1142 }
1143 
1144 bool cond::CredentialStore::updateConnection(const std::string& connectionLabel,
1145  const std::string& userName,
1146  const std::string& password) {
1147  CSScopedSession session(*this);
1148  session.start(false);
1149 
1150  m_session->transaction().start();
1151  coral::ISchema& schema = m_session->nominalSchema();
1152  std::string connLabel = to_lower(connectionLabel);
1153  updateConnectionData(m_key.version(), schema, m_principalKey, connLabel, userName, password, true, m_log);
1154 
1155  session.close();
1156  return true;
1157 }
1158 
1159 bool cond::CredentialStore::removePrincipal(const std::string& principal) {
1160  CSScopedSession session(*this);
1161  session.start(false);
1162  coral::ISchema& schema = m_session->nominalSchema();
1163 
1164  PrincipalData princData;
1165  bool found = selectPrincipal(m_key.version(), schema, principal, princData);
1166 
1167  if (!found) {
1168  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1169  throwException(msg, "CredentialStore::removePrincipal");
1170  }
1171 
1172  m_log << "Removing principal " << principal << " (id: " << princData.id << ")" << std::endl;
1173 
1174  coral::ITableDataEditor& editor0 = schema.tableHandle(tname(AUTHORIZATION_TABLE, m_key.version())).dataEditor();
1175 
1176  coral::AttributeList deleteData0;
1177  deleteData0.extend<int>(P_ID_COL);
1178  deleteData0[P_ID_COL].data<int>() = princData.id;
1179  std::string whereClause0 = P_ID_COL + " = :" + P_ID_COL;
1180  editor0.deleteRows(whereClause0, deleteData0);
1181 
1182  coral::ITableDataEditor& editor1 = schema.tableHandle(tname(AUTHENTICATION_TABLE, m_key.version())).dataEditor();
1183 
1184  coral::AttributeList deleteData1;
1185  deleteData1.extend<int>(PRINCIPAL_ID_COL);
1186  deleteData1[PRINCIPAL_ID_COL].data<int>() = princData.id;
1187  std::string whereClause1 = PRINCIPAL_ID_COL + " = :" + PRINCIPAL_ID_COL;
1188  editor1.deleteRows(whereClause1, deleteData1);
1189 
1190  session.close();
1191 
1192  return true;
1193 }
1194 
1195 bool cond::CredentialStore::removeConnection(const std::string& connectionLabel) {
1196  CSScopedSession session(*this);
1197  session.start(false);
1198  coral::ISchema& schema = m_session->nominalSchema();
1199 
1200  CredentialData credsData;
1201  bool found = selectConnection(m_key.version(), schema, connectionLabel, credsData);
1202 
1203  if (!found) {
1204  std::string msg = "Connection named \"" + connectionLabel + "\" does not exist in the database.";
1205  throwException(msg, "CredentialStore::removeConnection");
1206  }
1207 
1208  m_log << "Removing connection " << connectionLabel << std::endl;
1209  coral::ITableDataEditor& editor0 = schema.tableHandle(tname(AUTHORIZATION_TABLE, m_key.version())).dataEditor();
1210 
1211  coral::AttributeList deleteData0;
1212  deleteData0.extend<int>(C_ID_COL);
1213  deleteData0[C_ID_COL].data<int>() = credsData.id;
1214  std::string whereClause0 = C_ID_COL + " = :" + C_ID_COL;
1215  editor0.deleteRows(whereClause0, deleteData0);
1216 
1217  coral::ITableDataEditor& editor1 = schema.tableHandle(tname(CREDENTIAL_TABLE, m_key.version())).dataEditor();
1218 
1219  coral::AttributeList deleteData1;
1220  deleteData1.extend<int>(CONNECTION_ID_COL);
1221  deleteData1[CONNECTION_ID_COL].data<int>() = credsData.id;
1222  std::string whereClause1 = CONNECTION_ID_COL + " = :" + CONNECTION_ID_COL;
1223  editor1.deleteRows(whereClause1, deleteData1);
1224 
1225  session.close();
1226 
1227  return true;
1228 }
1229 
1230 bool cond::CredentialStore::selectForUser(coral_bridge::AuthenticationCredentialSet& destinationData) {
1231  CSScopedSession session(*this);
1232  session.start(true);
1233  coral::ISchema& schema = m_session->nominalSchema();
1234 
1235  auth::Cipher cipher(m_principalKey);
1236 
1237  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1238  query->addToTableList(tname(AUTHORIZATION_TABLE, m_key.version()), "AUTHO");
1239  query->addToTableList(tname(CREDENTIAL_TABLE, m_key.version()), "CREDS");
1240  coral::AttributeList readBuff;
1241  readBuff.extend<std::string>("AUTHO." + ROLE_COL);
1242  readBuff.extend<std::string>("AUTHO." + SCHEMA_COL);
1243  readBuff.extend<std::string>("AUTHO." + AUTH_KEY_COL);
1244  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1245  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
1246  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
1247  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
1248  coral::AttributeList whereData;
1249  whereData.extend<int>(P_ID_COL);
1250  whereData[P_ID_COL].data<int>() = m_principalId;
1251  std::stringstream whereClause;
1252  whereClause << "AUTHO." << C_ID_COL << "="
1253  << "CREDS." << CONNECTION_ID_COL;
1254  whereClause << " AND "
1255  << "AUTHO." << P_ID_COL << " = :" << P_ID_COL;
1256  query->defineOutput(readBuff);
1257  query->addToOutputList("AUTHO." + ROLE_COL);
1258  query->addToOutputList("AUTHO." + SCHEMA_COL);
1259  query->addToOutputList("AUTHO." + AUTH_KEY_COL);
1260  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1261  query->addToOutputList("CREDS." + USERNAME_COL);
1262  query->addToOutputList("CREDS." + PASSWORD_COL);
1263  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
1264  query->setCondition(whereClause.str(), whereData);
1265  coral::ICursor& cursor = query->execute();
1266  while (cursor.next()) {
1267  const coral::AttributeList& row = cursor.currentRow();
1268  const std::string& role = row["AUTHO." + ROLE_COL].data<std::string>();
1269  const std::string& connectionString = row["AUTHO." + SCHEMA_COL].data<std::string>();
1270  const std::string& encryptedAuthKey = row["AUTHO." + AUTH_KEY_COL].data<std::string>();
1271  const std::string& connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1272  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
1273  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
1274  std::string authKey = cipher.b64decrypt(encryptedAuthKey);
1275  auth::Cipher connCipher(authKey);
1276  std::string verificationString = connCipher.b64decrypt(row["CREDS." + VERIFICATION_KEY_COL].data<std::string>());
1277  if (verificationString == connectionLabel) {
1278  destinationData.registerCredentials(to_lower(connectionString),
1279  role,
1280  connCipher.b64decrypt(encryptedUserName),
1281  connCipher.b64decrypt(encryptedPassword));
1282  }
1283  }
1284  session.close();
1285  return true;
1286 }
1287 
1288 std::pair<std::string, std::string> cond::CredentialStore::getUserCredentials(const std::string& connectionString,
1289  const std::string& role) {
1290  CSScopedSession session(*this);
1291  session.start(true);
1292  coral::ISchema& schema = m_session->nominalSchema();
1293 
1294  auth::Cipher cipher(m_principalKey);
1295 
1296  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1297  query->addToTableList(tname(AUTHORIZATION_TABLE, m_key.version()), "AUTHO");
1298  query->addToTableList(tname(CREDENTIAL_TABLE, m_key.version()), "CREDS");
1299  coral::AttributeList readBuff;
1300  readBuff.extend<std::string>("AUTHO." + AUTH_KEY_COL);
1301  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1302  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
1303  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
1304  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
1305  coral::AttributeList whereData;
1306  whereData.extend<int>(P_ID_COL);
1307  whereData.extend<std::string>(SCHEMA_COL);
1308  whereData.extend<std::string>(ROLE_COL);
1309  whereData[P_ID_COL].data<int>() = m_principalId;
1310  whereData[SCHEMA_COL].data<std::string>() = to_lower(connectionString);
1311  whereData[ROLE_COL].data<std::string>() = role;
1312  std::stringstream whereClause;
1313  whereClause << "AUTHO." << C_ID_COL << "="
1314  << "CREDS." << CONNECTION_ID_COL;
1315  whereClause << " AND "
1316  << "AUTHO." << P_ID_COL << " = :" << P_ID_COL;
1317  whereClause << " AND "
1318  << "AUTHO." << SCHEMA_COL << " = :" << SCHEMA_COL;
1319  whereClause << " AND "
1320  << "AUTHO." << ROLE_COL << " = :" << ROLE_COL;
1321  query->defineOutput(readBuff);
1322  query->addToOutputList("AUTHO." + AUTH_KEY_COL);
1323  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1324  query->addToOutputList("CREDS." + USERNAME_COL);
1325  query->addToOutputList("CREDS." + PASSWORD_COL);
1326  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
1327  query->setCondition(whereClause.str(), whereData);
1328  coral::ICursor& cursor = query->execute();
1329  auto ret = std::make_pair(std::string(""), std::string(""));
1330  if (cursor.next()) {
1331  const coral::AttributeList& row = cursor.currentRow();
1332  const std::string& encryptedAuthKey = row["AUTHO." + AUTH_KEY_COL].data<std::string>();
1333  const std::string& connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1334  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
1335  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
1336  std::string authKey = cipher.b64decrypt(encryptedAuthKey);
1337  auth::Cipher connCipher(authKey);
1338  std::string verificationString = connCipher.b64decrypt(row["CREDS." + VERIFICATION_KEY_COL].data<std::string>());
1339  if (verificationString == connectionLabel) {
1340  ret.first = connCipher.b64decrypt(encryptedUserName);
1341  ret.second = connCipher.b64decrypt(encryptedPassword);
1342  }
1343  }
1344  session.close();
1345  return ret;
1346 }
1347 
1348 bool cond::CredentialStore::importForPrincipal(const std::string& principal,
1349  const coral_bridge::AuthenticationCredentialSet& dataSource,
1350  bool forceUpdateConnection) {
1351  CSScopedSession session(*this);
1352  session.start(false);
1353  coral::ISchema& schema = m_session->nominalSchema();
1354 
1355  PrincipalData princData;
1356  bool found = selectPrincipal(m_key.version(), schema, principal, princData);
1357 
1358  if (!found) {
1359  std::string msg = "Principal \"" + principal + "\" does not exist in the database.";
1360  throwException(msg, "CredentialStore::importForPrincipal");
1361  }
1362 
1363  bool imported = false;
1364  auth::Cipher cipher(m_principalKey);
1365  std::string princKey = cipher.b64decrypt(princData.adminKey);
1366 
1367  const std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>& creds = dataSource.data();
1368  for (std::map<std::pair<std::string, std::string>, coral::AuthenticationCredentials*>::const_iterator iConn =
1369  creds.begin();
1370  iConn != creds.end();
1371  ++iConn) {
1372  const std::string& connectionString = iConn->first.first;
1373  coral::URIParser parser;
1374  parser.setURI(connectionString);
1375  std::string serviceName = parser.hostName();
1376  const std::string& role = iConn->first.second;
1377  std::string userName = iConn->second->valueForItem(coral::IAuthenticationCredentials::userItem());
1378  std::string password = iConn->second->valueForItem(coral::IAuthenticationCredentials::passwordItem());
1379  // first import the connections
1380  std::pair<int, std::string> conn = updateConnectionData(m_key.version(),
1381  schema,
1382  m_principalKey,
1383  schemaLabel(serviceName, userName),
1384  userName,
1385  password,
1386  forceUpdateConnection,
1387  m_log);
1388  auth::Cipher cipher(m_principalKey);
1389  // than set the permission for the specific role
1390  setPermissionData(
1391  m_key.version(), schema, princData.id, princKey, role, connectionString, conn.first, conn.second, m_log);
1392  imported = true;
1393  }
1394  session.close();
1395  return imported;
1396 }
1397 
1398 bool cond::CredentialStore::listPrincipals(std::vector<std::string>& destination) {
1399  CSScopedSession session(*this);
1400  session.start(true);
1401  coral::ISchema& schema = m_session->nominalSchema();
1402 
1403  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(AUTHENTICATION_TABLE, m_key.version())).newQuery());
1404  coral::AttributeList readBuff;
1405  readBuff.extend<std::string>(PRINCIPAL_NAME_COL);
1406  query->defineOutput(readBuff);
1407  query->addToOutputList(PRINCIPAL_NAME_COL);
1408  coral::ICursor& cursor = query->execute();
1409  bool found = false;
1410  while (cursor.next()) {
1411  found = true;
1412  const coral::AttributeList& row = cursor.currentRow();
1413  destination.push_back(row[PRINCIPAL_NAME_COL].data<std::string>());
1414  }
1415  session.close();
1416  return found;
1417 }
1418 
1419 bool cond::CredentialStore::listConnections(std::map<std::string, std::pair<std::string, std::string> >& destination) {
1420  CSScopedSession session(*this);
1421  session.start(true);
1422  coral::ISchema& schema = m_session->nominalSchema();
1423 
1424  std::unique_ptr<coral::IQuery> query(schema.tableHandle(tname(CREDENTIAL_TABLE, m_key.version())).newQuery());
1425  coral::AttributeList readBuff;
1426  readBuff.extend<std::string>(CONNECTION_LABEL_COL);
1427  readBuff.extend<std::string>(USERNAME_COL);
1428  readBuff.extend<std::string>(PASSWORD_COL);
1429  readBuff.extend<std::string>(VERIFICATION_KEY_COL);
1430  readBuff.extend<std::string>(CONNECTION_KEY_COL);
1431  query->defineOutput(readBuff);
1432  query->addToOutputList(CONNECTION_LABEL_COL);
1433  query->addToOutputList(USERNAME_COL);
1434  query->addToOutputList(PASSWORD_COL);
1435  query->addToOutputList(VERIFICATION_KEY_COL);
1436  query->addToOutputList(CONNECTION_KEY_COL);
1437  coral::ICursor& cursor = query->execute();
1438  bool found = false;
1439  auth::Cipher cipher0(m_principalKey);
1440  while (cursor.next()) {
1441  std::string userName("");
1442  std::string password("");
1443  const coral::AttributeList& row = cursor.currentRow();
1444  const std::string& connLabel = row[CONNECTION_LABEL_COL].data<std::string>();
1445  const std::string& encryptedKey = row[CONNECTION_KEY_COL].data<std::string>();
1446  const std::string& encryptedVerif = row[VERIFICATION_KEY_COL].data<std::string>();
1447  std::string connKey = cipher0.b64decrypt(encryptedKey);
1448  auth::Cipher cipher1(connKey);
1449  std::string verif = cipher1.b64decrypt(encryptedVerif);
1450  if (verif == connLabel) {
1451  const std::string& encryptedUserName = row[USERNAME_COL].data<std::string>();
1452  const std::string& encryptedPassword = row[PASSWORD_COL].data<std::string>();
1453  userName = cipher1.b64decrypt(encryptedUserName);
1454  password = cipher1.b64decrypt(encryptedPassword);
1455  }
1456  destination.insert(std::make_pair(connLabel, std::make_pair(userName, password)));
1457  found = true;
1458  }
1459  session.close();
1460  return found;
1461 }
1462 
1463 bool cond::CredentialStore::selectPermissions(const std::string& principalName,
1464  const std::string& role,
1465  const std::string& connectionString,
1466  std::vector<Permission>& destination) {
1467  CSScopedSession session(*this);
1468  session.start(true);
1469  coral::ISchema& schema = m_session->nominalSchema();
1470  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1471  query->addToTableList(tname(AUTHENTICATION_TABLE, m_key.version()), "AUTHE");
1472  query->addToTableList(tname(AUTHORIZATION_TABLE, m_key.version()), "AUTHO");
1473  query->addToTableList(tname(CREDENTIAL_TABLE, m_key.version()), "CREDS");
1474  coral::AttributeList readBuff;
1475  readBuff.extend<std::string>("AUTHE." + PRINCIPAL_NAME_COL);
1476  readBuff.extend<std::string>("AUTHO." + ROLE_COL);
1477  readBuff.extend<std::string>("AUTHO." + SCHEMA_COL);
1478  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1479  coral::AttributeList whereData;
1480  std::stringstream whereClause;
1481  whereClause << "AUTHE." << PRINCIPAL_ID_COL << "= AUTHO." << P_ID_COL;
1482  whereClause << " AND AUTHO." << C_ID_COL << "="
1483  << "CREDS." << CONNECTION_ID_COL;
1484  if (!principalName.empty()) {
1485  whereData.extend<std::string>(PRINCIPAL_NAME_COL);
1486  whereData[PRINCIPAL_NAME_COL].data<std::string>() = principalName;
1487  whereClause << " AND AUTHE." << PRINCIPAL_NAME_COL << " = :" << PRINCIPAL_NAME_COL;
1488  }
1489  if (!role.empty()) {
1490  whereData.extend<std::string>(ROLE_COL);
1491  whereData[ROLE_COL].data<std::string>() = role;
1492  whereClause << " AND AUTHO." << ROLE_COL << " = :" << ROLE_COL;
1493  }
1494  if (!connectionString.empty()) {
1495  whereData.extend<std::string>(SCHEMA_COL);
1496  whereData[SCHEMA_COL].data<std::string>() = to_lower(connectionString);
1497  whereClause << " AND AUTHO." << SCHEMA_COL << " = :" << SCHEMA_COL;
1498  }
1499 
1500  query->defineOutput(readBuff);
1501  query->addToOutputList("AUTHE." + PRINCIPAL_NAME_COL);
1502  query->addToOutputList("AUTHO." + ROLE_COL);
1503  query->addToOutputList("AUTHO." + SCHEMA_COL);
1504  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1505  query->setCondition(whereClause.str(), whereData);
1506  query->addToOrderList("AUTHO." + SCHEMA_COL);
1507  query->addToOrderList("AUTHE." + PRINCIPAL_NAME_COL);
1508  query->addToOrderList("AUTHO." + ROLE_COL);
1509  coral::ICursor& cursor = query->execute();
1510  bool found = false;
1511  while (cursor.next()) {
1512  const coral::AttributeList& row = cursor.currentRow();
1513  destination.resize(destination.size() + 1);
1514  Permission& perm = destination.back();
1515  perm.principalName = row["AUTHE." + PRINCIPAL_NAME_COL].data<std::string>();
1516  perm.role = row["AUTHO." + ROLE_COL].data<std::string>();
1517  perm.connectionString = row["AUTHO." + SCHEMA_COL].data<std::string>();
1518  perm.connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1519  found = true;
1520  }
1521  session.close();
1522  return found;
1523 }
1524 
1525 bool cond::CredentialStore::exportAll(coral_bridge::AuthenticationCredentialSet& data) {
1526  CSScopedSession session(*this);
1527  session.start(true);
1528  coral::ISchema& schema = m_session->nominalSchema();
1529  std::unique_ptr<coral::IQuery> query(schema.newQuery());
1530  query->addToTableList(tname(AUTHORIZATION_TABLE, m_key.version()), "AUTHO");
1531  query->addToTableList(tname(CREDENTIAL_TABLE, m_key.version()), "CREDS");
1532  coral::AttributeList readBuff;
1533  readBuff.extend<std::string>("AUTHO." + ROLE_COL);
1534  readBuff.extend<std::string>("AUTHO." + SCHEMA_COL);
1535  readBuff.extend<std::string>("CREDS." + CONNECTION_LABEL_COL);
1536  readBuff.extend<std::string>("CREDS." + VERIFICATION_KEY_COL);
1537  readBuff.extend<std::string>("CREDS." + CONNECTION_KEY_COL);
1538  readBuff.extend<std::string>("CREDS." + USERNAME_COL);
1539  readBuff.extend<std::string>("CREDS." + PASSWORD_COL);
1540  coral::AttributeList whereData;
1541  std::stringstream whereClause;
1542  whereClause << "AUTHO." << C_ID_COL << "="
1543  << "CREDS." << CONNECTION_ID_COL;
1544 
1545  query->defineOutput(readBuff);
1546  query->addToOutputList("AUTHO." + ROLE_COL);
1547  query->addToOutputList("AUTHO." + SCHEMA_COL);
1548  query->addToOutputList("CREDS." + CONNECTION_LABEL_COL);
1549  query->addToOutputList("CREDS." + VERIFICATION_KEY_COL);
1550  query->addToOutputList("CREDS." + CONNECTION_KEY_COL);
1551  query->addToOutputList("CREDS." + USERNAME_COL);
1552  query->addToOutputList("CREDS." + PASSWORD_COL);
1553  query->setCondition(whereClause.str(), whereData);
1554  coral::ICursor& cursor = query->execute();
1555  bool found = false;
1556  auth::Cipher cipher0(m_principalKey);
1557  while (cursor.next()) {
1558  const coral::AttributeList& row = cursor.currentRow();
1559  const std::string& role = row["AUTHO." + ROLE_COL].data<std::string>();
1560  const std::string& connectionString = row["AUTHO." + SCHEMA_COL].data<std::string>();
1561  const std::string& connectionLabel = row["CREDS." + CONNECTION_LABEL_COL].data<std::string>();
1562  const std::string& encryptedVerifKey = row["CREDS." + VERIFICATION_KEY_COL].data<std::string>();
1563  const std::string& encryptedConnection = row["CREDS." + CONNECTION_KEY_COL].data<std::string>();
1564  std::string userName("");
1565  std::string password("");
1566  std::string connectionKey = cipher0.b64decrypt(encryptedConnection);
1567  auth::Cipher cipher1(connectionKey);
1568  std::string verifKey = cipher1.b64decrypt(encryptedVerifKey);
1569  if (verifKey == connectionLabel) {
1570  const std::string& encryptedUserName = row["CREDS." + USERNAME_COL].data<std::string>();
1571  const std::string& encryptedPassword = row["CREDS." + PASSWORD_COL].data<std::string>();
1572  userName = cipher1.b64decrypt(encryptedUserName);
1573  password = cipher1.b64decrypt(encryptedPassword);
1574  }
1575  data.registerCredentials(to_lower(connectionString), role, userName, password);
1576  found = true;
1577  }
1578  session.close();
1579  return found;
1580 }
1581 
1582 const std::string& cond::CredentialStore::serviceName() { return m_serviceName; }
1583 
1584 const std::string& cond::CredentialStore::keyPrincipalName() { return m_authenticatedPrincipal; }
1585 
1586 std::string cond::CredentialStore::log() { return m_log.str(); }
cond::CredentialStore::getUserCredentials
std::pair< std::string, std::string > getUserCredentials(const std::string &connectionString, const std::string &role)
Definition: CredentialStore.cc:1288
cond::CSScopedSession::CSScopedSession
CSScopedSession(CredentialStore &store)
Definition: CredentialStore.cc:179
cond::CredentialStore::keyPrincipalName
const std::string & keyPrincipalName()
Definition: CredentialStore.cc:1584
LEGACY_TABLE_PREFIX
static const std::string LEGACY_TABLE_PREFIX("COND_")
coral_bridge::AuthenticationCredentialSet::import
void import(const AuthenticationCredentialSet &data)
Definition: CredentialStore.cc:85
L1TdeStage2CaloLayer1_cfi.dataSource
dataSource
Definition: L1TdeStage2CaloLayer1_cfi.py:5
hcallasereventfilter2012_cfi.prefix
prefix
Definition: hcallasereventfilter2012_cfi.py:10
SEQUENCE_VALUE_COL
static const std::string SEQUENCE_VALUE_COL("VALUE")
coral_bridge::AuthenticationCredentialSet
Definition: CredentialStore.h:31
cond::updateConnectionData
std::pair< int, std::string > updateConnectionData(const std::string &schemaVersion, coral::ISchema &schema, const std::string &adminKey, const std::string &connectionLabel, const std::string &userName, const std::string &password, bool forceUpdate, std::stringstream &log)
Definition: CredentialStore.cc:513
cond::CredentialStore::unsetPermission
size_t unsetPermission(const std::string &principal, const std::string &role, const std::string &connectionString)
Definition: CredentialStore.cc:1092
cond::CredentialStore::updatePrincipal
bool updatePrincipal(const std::string &principal, const std::string &principalKey, bool setAdmin=false)
Definition: CredentialStore.cc:1014
cond::CredentialStore::CredentialStore
CredentialStore()
Standard Constructor.
Definition: CredentialStore.cc:746
ROLE_COL
static const std::string ROLE_COL("C_ROLE")
coral_bridge::AuthenticationCredentialSet::~AuthenticationCredentialSet
virtual ~AuthenticationCredentialSet()
Destructor.
Definition: CredentialStore.cc:35
castor_dqm_sourceclient_file_cfg.path
path
Definition: castor_dqm_sourceclient_file_cfg.py:37
instance
static PFTauRenderPlugin instance
Definition: PFTauRenderPlugin.cc:70
cond::CredentialStore::removeConnection
bool removeConnection(const std::string &connectionLabel)
Definition: CredentialStore.cc:1195
runTheMatrix.ret
ret
prodAgent to be discontinued
Definition: runTheMatrix.py:758
cond::CredentialStore::openSession
void openSession(const std::string &schemaName, const std::string &userName, const std::string &password, bool readMode)
Definition: CredentialStore.cc:619
cond::CredentialStore::resetAdmin
bool resetAdmin(const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:976
SCHEMA_COL
static const std::string SCHEMA_COL("C_SCHEMA")
AUTHENTICATION_TABLE
static const std::string AUTHENTICATION_TABLE("AUTHENTICATION")
coral_bridge::AuthenticationCredentialSet::AuthenticationCredentialSet
AuthenticationCredentialSet()
Constructor.
Definition: CredentialStore.cc:33
cond::CredentialStore::listConnections
bool listConnections(std::map< std::string, std::pair< std::string, std::string > > &destination)
Definition: CredentialStore.cc:1419
EcalCondDBWriter_cfi.password
password
Definition: EcalCondDBWriter_cfi.py:62
addSequence
void addSequence(const std::string &schemaVersion, coral::ISchema &schema, const std::string &name)
Definition: CredentialStore.cc:805
cond::updatePrincipalData
std::pair< int, std::string > updatePrincipalData(const std::string &schemaVersion, coral::ISchema &schema, const std::string &authenticationKey, const std::string &principalName, const std::string &adminKey, bool init, std::stringstream &log)
Definition: CredentialStore.cc:394
cond::CSScopedSession::start
void start(bool readOnly=true)
Definition: CredentialStore.cc:184
to_lower
std::string to_lower(const std::string &s)
Definition: CredentialStore.h:23
cond::selectAuthorization
bool selectAuthorization(const std::string &schemaVersion, coral::ISchema &schema, int principalId, const std::string &role, const std::string &connectionString, AuthorizationData &destination)
Definition: CredentialStore.cc:283
MillePedeFileConverter_cfg.e
e
Definition: MillePedeFileConverter_cfg.py:37
l1ctLayer2EG_cff.id
id
Definition: l1ctLayer2EG_cff.py:86
cond::CSScopedSession::startSuper
void startSuper(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:181
spr::find
void find(edm::Handle< EcalRecHitCollection > &hits, DetId thisDet, std::vector< EcalRecHitCollection::const_iterator > &hit, bool debug=false)
Definition: FindCaloHit.cc:19
serviceName
static const std::string serviceName
Definition: CredentialStore.cc:31
cond::CSScopedSession::m_store
CredentialStore & m_store
Definition: CredentialStore.cc:188
GetRecoTauVFromDQM_MC_cff.next
next
Definition: GetRecoTauVFromDQM_MC_cff.py:31
cond::throwException
void throwException(const std::string &message, const std::string &methodName)
Definition: Exception.cc:18
PASSWORD_COL
static const std::string PASSWORD_COL("CRED5")
AlCaHLTBitMon_QueryRunRegistry.string
string string
Definition: AlCaHLTBitMon_QueryRunRegistry.py:256
cond::setPermissionData
bool setPermissionData(const std::string &schemaVersion, coral::ISchema &schema, int principalId, const std::string &principalKey, const std::string &role, const std::string &connectionString, int connectionId, const std::string &connectionKey, std::stringstream &log)
Definition: CredentialStore.cc:457
cond::CredentialStore::closeSession
void closeSession(bool commit=true)
Definition: CredentialStore.cc:586
CONNECTION_KEY_COL
static const std::string CONNECTION_KEY_COL("CRED7")
TABLE_PREFIX
static const std::string TABLE_PREFIX("DB_")
query
Definition: query.py:1
coral_bridge::AuthenticationCredentialSet::registerItem
void registerItem(const std::string &connectionString, const std::string &itemName, const std::string &itemValue)
Definition: CredentialStore.cc:43
SEQUENCE_TABLE
static const std::string SEQUENCE_TABLE("CREDENTIAL_SEQUENCE")
cond::getNextSequenceValue
bool getNextSequenceValue(const std::string &schemaVersion, coral::ISchema &schema, const std::string &sequenceName, int &value)
Definition: CredentialStore.cc:358
ADMIN_KEY_COL
static const std::string ADMIN_KEY_COL("CRED2")
VERIFICATION_KEY_COL
static const std::string VERIFICATION_KEY_COL("CRED6")
cond::CredentialStore::startSession
void startSession(bool readMode)
Definition: CredentialStore.cc:641
cond::auth::ROLES
static const std::set< std::string > ROLES
Definition: Auth.h:21
cond::CredentialStore::updateConnection
bool updateConnection(const std::string &connectionLabel, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:1144
cond::CredentialStore::createSchema
bool createSchema(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:817
cond::auth::COND_ADMIN_ROLE
static constexpr const char *const COND_ADMIN_ROLE
Definition: Auth.h:19
cond::CredentialStore::exportAll
bool exportAll(coral_bridge::AuthenticationCredentialSet &data)
Definition: CredentialStore.cc:1525
cond::schemaLabel
std::string schemaLabel(const std::string &serviceName, const std::string &userName)
Definition: CredentialStore.cc:160
cond::auth::COND_DB_KEY_SIZE
static constexpr unsigned int COND_DB_KEY_SIZE
Definition: Auth.h:38
cond::CredentialStore::listPrincipals
bool listPrincipals(std::vector< std::string > &destination)
Definition: CredentialStore.cc:1398
cond::CredentialStore::setUpForConnectionString
std::string setUpForConnectionString(const std::string &connectionString, const std::string &authPath)
Definition: CredentialStore.cc:791
submitPVResolutionJobs.key
key
prepare the HTCondor submission files and eventually submit them
Definition: submitPVResolutionJobs.py:222
VERIFICATION_COL
static const std::string VERIFICATION_COL("CRED0")
SEQUENCE_NAME_COL
static const std::string SEQUENCE_NAME_COL("NAME")
value
Definition: value.py:1
cond::CredentialStore::setUpForService
std::string setUpForService(const std::string &serviceName, const std::string &authPath)
Sets the initialization parameters.
Definition: CredentialStore.cc:759
cond::CredentialStore::importForPrincipal
bool importForPrincipal(const std::string &principal, const coral_bridge::AuthenticationCredentialSet &data, bool forceUpdateConnection=false)
import data
Definition: CredentialStore.cc:1348
USERNAME_COL
static const std::string USERNAME_COL("CRED4")
relval_steps.gen
def gen(fragment, howMuch)
Event to runs.
Definition: relval_steps.py:750
coral_bridge::AuthenticationCredentialSet::reset
void reset()
Definition: CredentialStore.cc:37
cond::CredentialStore::setPermission
bool setPermission(const std::string &principal, const std::string &role, const std::string &connectionString, const std::string &connectionLabel)
Definition: CredentialStore.cc:1052
cond::CredentialStore::~CredentialStore
virtual ~CredentialStore()
Standard Destructor.
Definition: CredentialStore.cc:757
cond::schemaLabelForCredentialStore
std::string schemaLabelForCredentialStore(const std::string &connectionString)
Definition: CredentialStore.cc:169
cond::CredentialStore::selectForUser
bool selectForUser(coral_bridge::AuthenticationCredentialSet &destinationData)
Definition: CredentialStore.cc:1230
CONNECTION_ID_COL
static const std::string CONNECTION_ID_COL("CONN_ID")
init
Definition: init.py:1
genParticles_cff.map
map
Definition: genParticles_cff.py:11
cond::CredentialStore::removePrincipal
bool removePrincipal(const std::string &principal)
Definition: CredentialStore.cc:1159
cond::CredentialStore::serviceName
const std::string & serviceName()
Definition: CredentialStore.cc:1582
cond::selectConnection
bool selectConnection(const std::string &schemaVersion, coral::ISchema &schema, const std::string &connectionLabel, CredentialData &destination)
Definition: CredentialStore.cc:240
cond::CredentialStore::startSuperSession
void startSuperSession(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:633
HLTMuonOfflineAnalyzer_cff.destination
destination
Definition: HLTMuonOfflineAnalyzer_cff.py:16
PRINCIPAL_ID_COL
static const std::string PRINCIPAL_ID_COL("P_ID")
mps_check.msg
tuple msg
Definition: mps_check.py:286
TrackCollections2monitor_cff.sequenceName
sequenceName
Definition: TrackCollections2monitor_cff.py:6
cond::CredentialStore::selectPermissions
bool selectPermissions(const std::string &principalName, const std::string &role, const std::string &connectionString, std::vector< Permission > &destination)
Definition: CredentialStore.cc:1463
cond::auth::Cipher::b64encrypt
std::string b64encrypt(const std::string &input)
Definition: Cipher.cc:109
AUTH_ID_COL
static const std::string AUTH_ID_COL("AUTH_ID")
AUTHORIZATION_TABLE
static const std::string AUTHORIZATION_TABLE("AUTHORIZATION")
coral_bridge::AuthenticationCredentialSet::registerCredentials
void registerCredentials(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:63
DEFAULT_DATA_SOURCE
const std::string DEFAULT_DATA_SOURCE("Cond_Default_Authentication")
cond::CredentialStore::openConnection
std::pair< std::string, std::string > openConnection(const std::string &connectionString)
Definition: CredentialStore.cc:605
data
char data[epos_bytes_allocation]
Definition: EPOS_Wrapper.h:80
getInfo.conn
conn
Definition: getInfo.py:9
cond::CredentialStore::drop
bool drop(const std::string &connectionString, const std::string &userName, const std::string &password)
Definition: CredentialStore.cc:960
PRINCIPAL_KEY_COL
static const std::string PRINCIPAL_KEY_COL("CRED1")
tname
std::string tname(const std::string &tableName, const std::string &schemaVersion)
Definition: CredentialStore.cc:150
CREDENTIAL_TABLE
static const std::string CREDENTIAL_TABLE("CREDENTIAL")
gather_cfg.cout
cout
Definition: gather_cfg.py:144
P_ID_COL
static const std::string P_ID_COL("P_ID")
cond::auth::DecodingKey::FILE_PATH
static constexpr const char *const FILE_PATH
Definition: DecodingKey.h:35
coral_bridge::AuthenticationCredentialSet::get
const coral::IAuthenticationCredentials * get(const std::string &connectionString) const
Definition: CredentialStore.cc:97
EcalCondDBWriter_cfi.userName
userName
Definition: EcalCondDBWriter_cfi.py:61
coral_bridge::AuthenticationCredentialSet::data
const std::map< std::pair< std::string, std::string >, coral::AuthenticationCredentials * > & data() const
Definition: CredentialStore.cc:115
CONNECTION_LABEL_COL
static const std::string CONNECTION_LABEL_COL("CONN_LABEL")
reset
void reset(double vett[256])
Definition: TPedValues.cc:11
lumi_dqm_sourceclient-live_cfg.authPath
authPath
Definition: lumi_dqm_sourceclient-live_cfg.py:34
cond::selectPrincipal
bool selectPrincipal(const std::string &schemaVersion, coral::ISchema &schema, const std::string &principal, PrincipalData &destination)
Definition: CredentialStore.cc:198
cond::persistency::throwException
void throwException(const std::string &message, const std::string &methodName)
Definition: Exception.cc:12
l1RCTOmdsFedVectorProducer_cfi.connectionString
connectionString
Definition: l1RCTOmdsFedVectorProducer_cfi.py:4
C_ID_COL
static const std::string C_ID_COL("C_ID")
AlCaHLTBitMon_ParallelJobs.p
def p
Definition: AlCaHLTBitMon_ParallelJobs.py:153
cond::auth::COND_KEY
static constexpr const char *const COND_KEY
Definition: Auth.h:35
HLT_2024v14_cff.tableName
tableName
Definition: HLT_2024v14_cff.py:12
Skims_PA_cff.name
name
Definition: Skims_PA_cff.py:17
cond::auth::Cipher::b64decrypt
std::string b64decrypt(const std::string &input)
Definition: Cipher.cc:122
AUTH_KEY_COL
static const std::string AUTH_KEY_COL("CRED3")
cond::auth::COND_DEFAULT_ROLE
static constexpr const char *const COND_DEFAULT_ROLE
Definition: Auth.h:16
PRINCIPAL_NAME_COL
static const std::string PRINCIPAL_NAME_COL("P_NAME")
cond::getAuthorizationEntries
size_t getAuthorizationEntries(const std::string &schemaVersion, coral::ISchema &schema, int principalId, const std::string &role, const std::string &connectionString)
Definition: CredentialStore.cc:322
Generated for CMSSW Reference Manual by doxygen 1.8.14