ClickHouse/src/Access/AuthenticationData.h

#pragma once

#include <Access/Common/AuthenticationType.h>
#include <Access/Common/HTTPAuthenticationScheme.h>
#include <Interpreters/Context_fwd.h>
#include <Parsers/Access/ASTAuthenticationData.h>
#include <Common/SSH/Wrappers.h>

#include <vector>
#include <base/types.h>
#include <boost/container/flat_set.hpp>

namespace DB
{

/// Stores data for checking password when a user logins.
class AuthenticationData
{
public:
    using Digest = std::vector<uint8_t>;

    explicit AuthenticationData(AuthenticationType type_ = AuthenticationType::NO_PASSWORD) : type(type_) {}
    AuthenticationData(const AuthenticationData & src) = default;
    AuthenticationData & operator =(const AuthenticationData & src) = default;
    AuthenticationData(AuthenticationData && src) = default;
    AuthenticationData & operator =(AuthenticationData && src) = default;

    AuthenticationType getType() const { return type; }

    /// Sets the password and encrypt it using the authentication type set in the constructor.
    void setPassword(const String & password_);

    /// Returns the password. Allowed to use only for Type::PLAINTEXT_PASSWORD.
    String getPassword() const;

    /// Sets the password as a string of hexadecimal digits.
    void setPasswordHashHex(const String & hash);
    String getPasswordHashHex() const;

    /// Sets the password in binary form.
    void setPasswordHashBinary(const Digest & hash);
    const Digest & getPasswordHashBinary() const { return password_hash; }

    /// Sets the salt in String form.
    void setSalt(String salt);
    String getSalt() const;

    /// Sets the password using bcrypt hash with specified workfactor
    void setPasswordBcrypt(const String & password_, int workfactor_);

    /// Sets the server name for authentication type LDAP.
    const String & getLDAPServerName() const { return ldap_server_name; }
    void setLDAPServerName(const String & name) { ldap_server_name = name; }

    /// Sets the realm name for authentication type KERBEROS.
    const String & getKerberosRealm() const { return kerberos_realm; }
    void setKerberosRealm(const String & realm) { kerberos_realm = realm; }

    const boost::container::flat_set<String> & getSSLCertificateCommonNames() const { return ssl_certificate_common_names; }
    void setSSLCertificateCommonNames(boost::container::flat_set<String> common_names_);

    const std::vector<ssh::SSHKey> & getSSHKeys() const { return ssh_keys; }
    void setSSHKeys(std::vector<ssh::SSHKey> && ssh_keys_) { ssh_keys = std::forward<std::vector<ssh::SSHKey>>(ssh_keys_); }

    HTTPAuthenticationScheme getHTTPAuthenticationScheme() const { return http_auth_scheme; }
    void setHTTPAuthenticationScheme(HTTPAuthenticationScheme scheme) { http_auth_scheme = scheme; }

    const String & getHTTPAuthenticationServerName() const { return http_auth_server_name; }
    void setHTTPAuthenticationServerName(const String & name) { http_auth_server_name = name; }

    friend bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs);
    friend bool operator !=(const AuthenticationData & lhs, const AuthenticationData & rhs) { return !(lhs == rhs); }

    static AuthenticationData fromAST(const ASTAuthenticationData & query, ContextPtr context, bool check_password_rules);
    std::shared_ptr<ASTAuthenticationData> toAST() const;

    struct Util
    {
        static String digestToString(const Digest & text) { return String(text.data(), text.data() + text.size()); }
        static Digest stringToDigest(std::string_view text) { return Digest(text.data(), text.data() + text.size()); }
        static Digest encodeSHA256(std::string_view text);
        static Digest encodeSHA1(std::string_view text);
        static Digest encodeSHA1(const Digest & text) { return encodeSHA1(std::string_view{reinterpret_cast<const char *>(text.data()), text.size()}); }
        static Digest encodeDoubleSHA1(std::string_view text) { return encodeSHA1(encodeSHA1(text)); }
        static Digest encodeDoubleSHA1(const Digest & text) { return encodeSHA1(encodeSHA1(text)); }
        static Digest encodeBcrypt(std::string_view text, int workfactor);
        static bool checkPasswordBcrypt(std::string_view password, const Digest & password_bcrypt);
    };

private:
    AuthenticationType type = AuthenticationType::NO_PASSWORD;
    Digest password_hash;
    String ldap_server_name;
    String kerberos_realm;
    boost::container::flat_set<String> ssl_certificate_common_names;
    String salt;
    std::vector<ssh::SSHKey> ssh_keys;
    /// HTTP authentication properties
    String http_auth_server_name;
    HTTPAuthenticationScheme http_auth_scheme = HTTPAuthenticationScheme::BASIC;
};

}
Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`#pragma once`

Separate AuthenticationData and AuthenticationType, small fixes 2023-04-24 15:12:45 +00:00			`#include <Access/Common/AuthenticationType.h>`
Add external HTTP Basic authenticator (#55199) 2023-10-20 17:24:19 +00:00			`#include <Access/Common/HTTPAuthenticationScheme.h>`
Separate AuthenticationData and AuthenticationType, small fixes 2023-04-24 15:12:45 +00:00			`#include <Interpreters/Context_fwd.h>`
Add external HTTP Basic authenticator (#55199) 2023-10-20 17:24:19 +00:00			`#include <Parsers/Access/ASTAuthenticationData.h>`
			`#include <Common/SSH/Wrappers.h>`
Separate AuthenticationData and AuthenticationType, small fixes 2023-04-24 15:12:45 +00:00
Add external HTTP Basic authenticator (#55199) 2023-10-20 17:24:19 +00:00			`#include <vector>`
Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`#include <base/types.h>`
Support syntax CREATE USER IDENTIFIED WITH ssl_certificate CN ... 2022-02-18 18:01:30 +00:00			`#include <boost/container/flat_set.hpp>`
Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00
			`namespace DB`
			`{`

			`/// Stores data for checking password when a user logins.`
			`class AuthenticationData`
			`{`
			`public:`
			`using Digest = std::vector<uint8_t>;`

Fix clang-tidy warnings in Access folder 2022-03-11 15:52:15 +00:00			`explicit AuthenticationData(AuthenticationType type_ = AuthenticationType::NO_PASSWORD) : type(type_) {}`
Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`AuthenticationData(const AuthenticationData & src) = default;`
			`AuthenticationData & operator =(const AuthenticationData & src) = default;`
			`AuthenticationData(AuthenticationData && src) = default;`
			`AuthenticationData & operator =(AuthenticationData && src) = default;`

			`AuthenticationType getType() const { return type; }`

			`/// Sets the password and encrypt it using the authentication type set in the constructor.`
			`void setPassword(const String & password_);`

			`/// Returns the password. Allowed to use only for Type::PLAINTEXT_PASSWORD.`
			`String getPassword() const;`

			`/// Sets the password as a string of hexadecimal digits.`
			`void setPasswordHashHex(const String & hash);`
			`String getPasswordHashHex() const;`

			`/// Sets the password in binary form.`
			`void setPasswordHashBinary(const Digest & hash);`
			`const Digest & getPasswordHashBinary() const { return password_hash; }`

password hash salt feature 2022-04-12 14:30:09 +00:00			`/// Sets the salt in String form.`
			`void setSalt(String salt);`
			`String getSalt() const;`

Make workfactor changeable 2023-01-16 22:11:15 +00:00			`/// Sets the password using bcrypt hash with specified workfactor`
			`void setPasswordBcrypt(const String & password_, int workfactor_);`

Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`/// Sets the server name for authentication type LDAP.`
			`const String & getLDAPServerName() const { return ldap_server_name; }`
			`void setLDAPServerName(const String & name) { ldap_server_name = name; }`

			`/// Sets the realm name for authentication type KERBEROS.`
			`const String & getKerberosRealm() const { return kerberos_realm; }`
			`void setKerberosRealm(const String & realm) { kerberos_realm = realm; }`

Support syntax CREATE USER IDENTIFIED WITH ssl_certificate CN ... 2022-02-18 18:01:30 +00:00			`const boost::container::flat_set<String> & getSSLCertificateCommonNames() const { return ssl_certificate_common_names; }`
A few improvements in the implementation of SSL certificate authentication. 2022-02-18 20:26:49 +00:00			`void setSSLCertificateCommonNames(boost::container::flat_set<String> common_names_);`
support x509 ssl certificate authentication 2022-01-11 14:07:30 +00:00
SSH keys authentication (#41109) Added new type of authentication based on SSH keys. It works only for Native TCP protocol. Co-authored-by: Nikita Mikhaylov <nikitamikhaylov@clickhouse.com> Co-authored-by: Robert Schulze <robert@clickhouse.com> 2023-09-26 15:50:19 +00:00			`const std::vector<ssh::SSHKey> & getSSHKeys() const { return ssh_keys; }`
			`void setSSHKeys(std::vector<ssh::SSHKey> && ssh_keys_) { ssh_keys = std::forward<std::vector<ssh::SSHKey>>(ssh_keys_); }`

Add external HTTP Basic authenticator (#55199) 2023-10-20 17:24:19 +00:00			`HTTPAuthenticationScheme getHTTPAuthenticationScheme() const { return http_auth_scheme; }`
			`void setHTTPAuthenticationScheme(HTTPAuthenticationScheme scheme) { http_auth_scheme = scheme; }`

			`const String & getHTTPAuthenticationServerName() const { return http_auth_server_name; }`
			`void setHTTPAuthenticationServerName(const String & name) { http_auth_server_name = name; }`

Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`friend bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs);`
			`friend bool operator !=(const AuthenticationData & lhs, const AuthenticationData & rhs) { return !(lhs == rhs); }`

Separate AuthenticationData and AuthenticationType, small fixes 2023-04-24 15:12:45 +00:00			`static AuthenticationData fromAST(const ASTAuthenticationData & query, ContextPtr context, bool check_password_rules);`
			`std::shared_ptr<ASTAuthenticationData> toAST() const;`

Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`struct Util`
			`{`
Fixes 2023-04-28 15:12:06 +00:00			`static String digestToString(const Digest & text) { return String(text.data(), text.data() + text.size()); }`
Pass const std::string_view & by value, not by reference 2022-07-14 16:11:35 +00:00			`static Digest stringToDigest(std::string_view text) { return Digest(text.data(), text.data() + text.size()); }`
			`static Digest encodeSHA256(std::string_view text);`
			`static Digest encodeSHA1(std::string_view text);`
Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`static Digest encodeSHA1(const Digest & text) { return encodeSHA1(std::string_view{reinterpret_cast<const char *>(text.data()), text.size()}); }`
Pass const std::string_view & by value, not by reference 2022-07-14 16:11:35 +00:00			`static Digest encodeDoubleSHA1(std::string_view text) { return encodeSHA1(encodeSHA1(text)); }`
Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`static Digest encodeDoubleSHA1(const Digest & text) { return encodeSHA1(encodeSHA1(text)); }`
Make workfactor changeable 2023-01-16 22:11:15 +00:00			`static Digest encodeBcrypt(std::string_view text, int workfactor);`
Add bcrypt authentification type 2023-01-04 14:22:39 +00:00			`static bool checkPasswordBcrypt(std::string_view password, const Digest & password_bcrypt);`
Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`};`

			`private:`
			`AuthenticationType type = AuthenticationType::NO_PASSWORD;`
			`Digest password_hash;`
			`String ldap_server_name;`
			`String kerberos_realm;`
Support syntax CREATE USER IDENTIFIED WITH ssl_certificate CN ... 2022-02-18 18:01:30 +00:00			`boost::container::flat_set<String> ssl_certificate_common_names;`
password hash salt feature 2022-04-12 14:30:09 +00:00			`String salt;`
SSH keys authentication (#41109) Added new type of authentication based on SSH keys. It works only for Native TCP protocol. Co-authored-by: Nikita Mikhaylov <nikitamikhaylov@clickhouse.com> Co-authored-by: Robert Schulze <robert@clickhouse.com> 2023-09-26 15:50:19 +00:00			`std::vector<ssh::SSHKey> ssh_keys;`
Add external HTTP Basic authenticator (#55199) 2023-10-20 17:24:19 +00:00			`/// HTTP authentication properties`
			`String http_auth_server_name;`
			`HTTPAuthenticationScheme http_auth_scheme = HTTPAuthenticationScheme::BASIC;`
Split Authentication.h to common and main parts. 2021-11-01 14:03:20 +00:00			`};`

			`}`