mirror of
https://github.com/neondatabase/neon.git
synced 2026-05-19 14:10:37 +00:00
c3ca48c62b
Make it possible to specify directory where proxy will look up for
extra certificates. Proxy will iterate through subdirs of that directory
and load `key.pem` and `cert.pem` files from each subdir. Certs directory
structure may look like that:
certs
|--example.com
| |--key.pem
| |--cert.pem
|--foo.bar
|--key.pem
|--cert.pem
Actual domain names are taken from certs and key, subdir names are
ignored.
67 lines
2.2 KiB
Rust
67 lines
2.2 KiB
Rust
use super::AuthSuccess;
|
|
use crate::{
|
|
auth::{self, AuthFlow, ClientCredentials},
|
|
console::{
|
|
self,
|
|
provider::{CachedNodeInfo, ConsoleReqExtra},
|
|
},
|
|
stream,
|
|
};
|
|
use tokio::io::{AsyncRead, AsyncWrite};
|
|
use tracing::{info, warn};
|
|
|
|
/// Compared to [SCRAM](crate::scram), cleartext password auth saves
|
|
/// one round trip and *expensive* computations (>= 4096 HMAC iterations).
|
|
/// These properties are benefical for serverless JS workers, so we
|
|
/// use this mechanism for websocket connections.
|
|
pub async fn cleartext_hack(
|
|
api: &impl console::Api,
|
|
extra: &ConsoleReqExtra<'_>,
|
|
creds: &mut ClientCredentials<'_>,
|
|
client: &mut stream::PqStream<impl AsyncRead + AsyncWrite + Unpin>,
|
|
) -> auth::Result<AuthSuccess<CachedNodeInfo>> {
|
|
warn!("cleartext auth flow override is enabled, proceeding");
|
|
let password = AuthFlow::new(client)
|
|
.begin(auth::CleartextPassword)
|
|
.await?
|
|
.authenticate()
|
|
.await?;
|
|
|
|
let mut node = api.wake_compute(extra, creds).await?;
|
|
node.config.password(password);
|
|
|
|
// Report tentative success; compute node will check the password anyway.
|
|
Ok(AuthSuccess {
|
|
reported_auth_ok: false,
|
|
value: node,
|
|
})
|
|
}
|
|
|
|
/// Workaround for clients which don't provide an endpoint (project) name.
|
|
/// Very similar to [`cleartext_hack`], but there's a specific password format.
|
|
pub async fn password_hack(
|
|
api: &impl console::Api,
|
|
extra: &ConsoleReqExtra<'_>,
|
|
creds: &mut ClientCredentials<'_>,
|
|
client: &mut stream::PqStream<impl AsyncRead + AsyncWrite + Unpin>,
|
|
) -> auth::Result<AuthSuccess<CachedNodeInfo>> {
|
|
warn!("project not specified, resorting to the password hack auth flow");
|
|
let payload = AuthFlow::new(client)
|
|
.begin(auth::PasswordHack)
|
|
.await?
|
|
.authenticate()
|
|
.await?;
|
|
|
|
info!(project = &payload.project, "received missing parameter");
|
|
creds.project = Some(payload.project);
|
|
|
|
let mut node = api.wake_compute(extra, creds).await?;
|
|
node.config.password(payload.password);
|
|
|
|
// Report tentative success; compute node will check the password anyway.
|
|
Ok(AuthSuccess {
|
|
reported_auth_ok: false,
|
|
value: node,
|
|
})
|
|
}
|