src/agent/Shared/ApiServerUtils.h in passenger-5.1.12 vs src/agent/Shared/ApiServerUtils.h in passenger-5.2.0

- old
+ new

@@ -31,16 +31,10 @@ * and agent/Watchdog/ApiServer.h. This code handles authentication and authorization * of connected ApiServer clients. * * This file consists of the following items. * - * ## API accounts - * - * API servers can be password protected. They support multiple accounts, - * each with its own privilege level. These accounts are represented by - * ApiAccount, stored in ApiAccountDatabase objects. - * * ## Authorization * * The authorizeXXX() family of functions implement authorization checking on a * connected client. Given a client and a request, they perform various * checks and return information on what the client is authorized to do. @@ -94,106 +88,10 @@ inline string truncateApiKey(const StaticString &apiKey); /******************************* * - * API accounts - * - *******************************/ - -struct ApiAccount { - string username; - string password; - bool readonly; -}; - -class ApiAccountDatabase { -private: - vector<ApiAccount> database; - - bool levelDescriptionIsReadOnly(const StaticString &level) const { - if (level == "readonly") { - return true; - } else if (level == "full") { - return false; - } else { - throw ArgumentException("Invalid privilege level " + level); - } - } - -public: - /** - * Add an account to the database with the given parameters. - * - * @throws ArgumentException One if the input arguments contain a disallowed value. - */ - void add(const string &username, const string &password, bool readonly) { - if (OXT_UNLIKELY(username == "api")) { - throw ArgumentException("It is not allowed to register an API account with username 'api'"); - } - - ApiAccount account; - account.username = username; - account.password = password; - account.readonly = readonly; - database.push_back(account); - } - - /** - * Add an account to the database. The account parameters are determined - * by a description string in the form of [LEVEL]:USERNAME:PASSWORDFILE. - * LEVEL is one of: - * - * readonly Read-only access - * full Full access (default) - * - * @throws ArgumentException One if the input arguments contain a disallowed value. - */ - void add(const StaticString &description) { - ApiAccount account; - vector<string> args; - - split(description, ':', args); - - if (args.size() == 2) { - account.username = args[0]; - account.password = strip(readAll(args[1])); - account.readonly = false; - } else if (args.size() == 3) { - account.username = args[1]; - account.password = strip(readAll(args[2])); - account.readonly = levelDescriptionIsReadOnly(args[0]); - } else { - throw ArgumentException("Invalid authorization description '" + description + "'"); - } - - if (OXT_UNLIKELY(account.username == "api")) { - throw ArgumentException("It is not allowed to register an API account with username 'api'"); - } - database.push_back(account); - } - - bool empty() const { - return database.empty(); - } - - const ApiAccount *lookup(const StaticString &username) const { - vector<ApiAccount>::const_iterator it, end = database.end(); - - for (it = database.begin(); it != end; it++) { - if (it->username == username) { - return &(*it); - } - } - - return NULL; - } -}; - - -/******************************* - * * Authorization functions * *******************************/ @@ -266,11 +164,11 @@ if (e.code() != ENOSYS && e.code() != EPROTONOSUPPORT) { throw; } } - if (server->apiAccountDatabase->empty()) { + if (server->getApiAccountDatabase().empty()) { SKC_INFO_FROM_STATIC(server, client, "Authenticated as administrator because API account database is empty"); auth.apiKey = ApplicationPool2::ApiKey::makeSuper(); auth.canReadPool = true; auth.canModifyPool = true; @@ -287,10 +185,11 @@ assert(!auth.apiKey.isSuper()); auth.canReadPool = true; auth.canModifyPool = true; } } else { - const ApiAccount *account = server->apiAccountDatabase->lookup(username); + const typename ApiServer::ApiAccount *account = + server->getApiAccountDatabase().lookup(username); if (account != NULL && constantTimeCompare(password, account->password)) { SKC_INFO_FROM_STATIC(server, client, "Authenticated with administrator account: " << username); auth.apiKey = ApplicationPool2::ApiKey::makeSuper(); auth.canReadPool = true;