forked from maddyblue/sqlfmt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
role_mapper.go
executable file
·71 lines (64 loc) · 2.55 KB
/
role_mapper.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
// Copyright 2021 The Cockroach Authors.
//
// Use of this software is governed by the Business Source License
// included in the file licenses/BSL.txt.
//
// As of the Change Date specified in that file, in accordance with
// the Business Source License, use of this software will be governed
// by the Apache License, Version 2.0, included in the file
// licenses/APL.txt.
package pgwire
import (
"context"
"github.com/labulakalia/sqlfmt/cockroach/pkg/security"
"github.com/labulakalia/sqlfmt/cockroach/pkg/sql/pgwire/hba"
"github.com/labulakalia/sqlfmt/cockroach/pkg/sql/pgwire/identmap"
"github.com/cockroachdb/errors"
)
// RoleMapper defines a mechanism by which an AuthMethod associated
// with an incoming connection may replace the caller-provided system
// identity (e.g.: GSSAPI or X.509 principal, LDAP DN, etc.) with zero
// or more SQLUsernames that will be subsequently validated against the
// SQL roles defined within the database. The mapping from system
// identity to database roles may be derived from the host-based
// authentication mechanism built into CockroachDB, or it could
// conceivably be implemented by an external directory service which
// maps groups of users onto database roles.
type RoleMapper = func(
ctx context.Context,
systemIdentity security.SQLUsername,
) ([]security.SQLUsername, error)
// UseProvidedIdentity is a trivial implementation of RoleMapper which always
// returns its input.
func UseProvidedIdentity(
_ context.Context, id security.SQLUsername,
) ([]security.SQLUsername, error) {
return []security.SQLUsername{id}, nil
}
var _ RoleMapper = UseProvidedIdentity
// HbaMapper implements the "map" option that may be defined in a
// host-based authentication rule. If the HBA entry does not define a
// "map" option, this function will return UseProvidedIdentity.
//
// This mapper will return an error if an applied mapping rule results
// in the root user or a reserved user, which includes the node,
// "public", and various other magic prefixes.
func HbaMapper(hbaEntry *hba.Entry, identMap *identmap.Conf) RoleMapper {
mapName := hbaEntry.GetOption("map")
if mapName == "" {
return UseProvidedIdentity
}
return func(_ context.Context, id security.SQLUsername) ([]security.SQLUsername, error) {
users, err := identMap.Map(mapName, id.Normalized())
if err != nil {
return nil, err
}
for _, user := range users {
if user.IsRootUser() || user.IsReserved() {
return nil, errors.Newf("system identity %q mapped to reserved database role %q",
id.Normalized(), user.Normalized())
}
}
return users, nil
}
}