per-namespace authentication (#685)

Author: MarinPostma

sqld/src/auth.rs

@@ -2,6 +2,8 @@ use anyhow::{bail, Context as _, Result};
 use axum::http::HeaderValue;
 use tonic::Status;
 
+use crate::{namespace::NamespaceName, rpc::NAMESPACE_METADATA_KEY};
+
 static GRPC_AUTH_HEADER: &str = "x-authorization";
 static GRPC_PROXY_AUTH_HEADER: &str = "x-proxy-authorization";
 
@@ -42,16 +44,22 @@ pub enum AuthError {
     Other,
 }
 
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub struct Authorized {
+    pub namespace: Option<NamespaceName>,
+    pub permission: Permission,
+}
+
 #[non_exhaustive]
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
-pub enum Authorized {
+pub enum Permission {
     FullAccess,
     ReadOnly,
 }
 
 /// A witness that the user has been authenticated.
 #[non_exhaustive]
-#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+#[derive(Clone, Debug, PartialEq, Eq)]
 pub enum Authenticated {
     Anonymous,
     Authorized(Authorized),
@@ -61,9 +69,13 @@ impl Auth {
     pub fn authenticate_http(
         &self,
         auth_header: Option<&hyper::header::HeaderValue>,
+        disable_namespaces: bool,
     ) -> Result<Authenticated, AuthError> {
         if self.disabled {
-            return Ok(Authenticated::Authorized(Authorized::FullAccess));
+            return Ok(Authenticated::Authorized(Authorized {
+                namespace: None,
+                permission: Permission::FullAccess,
+            }));
         }
 
         let Some(auth_header) = auth_header else {
@@ -80,57 +92,98 @@ impl Auth {
                 let actual_value = actual_value.trim_end_matches('=');
                 let expected_value = expected_value.trim_end_matches('=');
                 if actual_value == expected_value {
-                    Ok(Authenticated::Authorized(Authorized::FullAccess))
+                    Ok(Authenticated::Authorized(Authorized {
+                        namespace: None,
+                        permission: Permission::FullAccess,
+                    }))
                 } else {
                     Err(AuthError::BasicRejected)
                 }
             }
-            HttpAuthHeader::Bearer(token) => self.validate_jwt(&token),
+            HttpAuthHeader::Bearer(token) => self.validate_jwt(&token, disable_namespaces),
         }
     }
 
-    pub fn authenticate_grpc<T>(&self, req: &tonic::Request<T>) -> Result<Authenticated, Status> {
+    pub fn authenticate_grpc<T>(
+        &self,
+        req: &tonic::Request<T>,
+        disable_namespaces: bool,
+    ) -> Result<Authenticated, Status> {
         let metadata = req.metadata();
 
         let auth = metadata
             .get(GRPC_AUTH_HEADER)
             .map(|v| v.to_bytes().expect("Auth should always be ASCII"))
             .map(|v| HeaderValue::from_maybe_shared(v).expect("Should already be valid header"));
 
-        self.authenticate_http(auth.as_ref()).map_err(Into::into)
+        self.authenticate_http(auth.as_ref(), disable_namespaces)
+            .map_err(Into::into)
     }
 
-    pub fn authenticate_jwt(&self, jwt: Option<&str>) -> Result<Authenticated, AuthError> {
+    pub fn authenticate_jwt(
+        &self,
+        jwt: Option<&str>,
+        disable_namespaces: bool,
+    ) -> Result<Authenticated, AuthError> {
         if self.disabled {
-            return Ok(Authenticated::Authorized(Authorized::FullAccess));
+            return Ok(Authenticated::Authorized(Authorized {
+                namespace: None,
+                permission: Permission::FullAccess,
+            }));
         }
 
         let Some(jwt) = jwt else {
             return Err(AuthError::JwtMissing)
         };
 
-        self.validate_jwt(jwt)
+        self.validate_jwt(jwt, disable_namespaces)
     }
 
-    fn validate_jwt(&self, jwt: &str) -> Result<Authenticated, AuthError> {
+    fn validate_jwt(
+        &self,
+        jwt: &str,
+        disable_namespaces: bool,
+    ) -> Result<Authenticated, AuthError> {
         let Some(jwt_key) = self.jwt_key.as_ref() else {
             return Err(AuthError::JwtNotAllowed)
         };
-        validate_jwt(jwt_key, jwt)
+        validate_jwt(jwt_key, jwt, disable_namespaces)
     }
 }
 
 impl Authenticated {
-    pub fn from_proxy_grpc_request<T>(req: &tonic::Request<T>) -> Result<Self, Status> {
+    pub fn from_proxy_grpc_request<T>(
+        req: &tonic::Request<T>,
+        disable_namespace: bool,
+    ) -> Result<Self, Status> {
+        let namespace = if disable_namespace {
+            None
+        } else {
+            req.metadata()
+                .get_bin(NAMESPACE_METADATA_KEY)
+                .map(|c| c.to_bytes())
+                .transpose()
+                .map_err(|_| Status::invalid_argument("failed to parse namespace header"))?
+                .map(NamespaceName::from_bytes)
+                .transpose()
+                .map_err(|_| Status::invalid_argument("invalid namespace name"))?
+        };
+
         let auth = match req
             .metadata()
             .get(GRPC_PROXY_AUTH_HEADER)
             .map(|v| v.to_str())
             .transpose()
             .map_err(|_| Status::invalid_argument("missing authorization header"))?
         {
-            Some("full_access") => Authenticated::Authorized(Authorized::FullAccess),
-            Some("read_only") => Authenticated::Authorized(Authorized::ReadOnly),
+            Some("full_access") => Authenticated::Authorized(Authorized {
+                namespace,
+                permission: Permission::FullAccess,
+            }),
+            Some("read_only") => Authenticated::Authorized(Authorized {
+                namespace,
+                permission: Permission::ReadOnly,
+            }),
             Some("anonymous") => Authenticated::Anonymous,
             Some(level) => {
                 return Err(Status::permission_denied(format!(
@@ -149,14 +202,34 @@ impl Authenticated {
 
         let auth = match self {
             Authenticated::Anonymous => "anonymous",
-            Authenticated::Authorized(Authorized::FullAccess) => "full_access",
-            Authenticated::Authorized(Authorized::ReadOnly) => "read_only",
+            Authenticated::Authorized(Authorized {
+                permission: Permission::FullAccess,
+                ..
+            }) => "full_access",
+            Authenticated::Authorized(Authorized {
+                permission: Permission::ReadOnly,
+                ..
+            }) => "read_only",
         };
 
         let value = tonic::metadata::AsciiMetadataValue::try_from(auth).unwrap();
 
         req.metadata_mut().insert(key, value);
     }
+
+    pub fn is_namespace_authorized(&self, namespace: &NamespaceName) -> bool {
+        match self {
+            Authenticated::Anonymous => true,
+            Authenticated::Authorized(Authorized {
+                namespace: Some(ns),
+                ..
+            }) => ns == namespace,
+            // we threat the absence of a specific namespace has a permission to any namespace
+            Authenticated::Authorized(Authorized {
+                namespace: None, ..
+            }) => true,
+        }
+    }
 }
 
 #[derive(Debug)]
@@ -188,6 +261,7 @@ fn parse_http_auth_header(
 fn validate_jwt(
     jwt_key: &jsonwebtoken::DecodingKey,
     jwt: &str,
+    disable_namespace: bool,
 ) -> Result<Authenticated, AuthError> {
     use jsonwebtoken::errors::ErrorKind;
 
@@ -197,13 +271,26 @@ fn validate_jwt(
     match jsonwebtoken::decode::<serde_json::Value>(jwt, jwt_key, &validation).map(|t| t.claims) {
         Ok(serde_json::Value::Object(claims)) => {
             tracing::trace!("Claims: {claims:#?}");
-            Ok(match claims.get("a").and_then(|s| s.as_str()) {
-                Some("ro") => Authenticated::Authorized(Authorized::ReadOnly),
-                Some("rw") => Authenticated::Authorized(Authorized::FullAccess),
-                Some(_) => Authenticated::Anonymous,
+            let namespace = if disable_namespace {
+                None
+            } else {
+                claims
+                    .get("id")
+                    .and_then(|ns| NamespaceName::from_string(ns.as_str()?.into()).ok())
+            };
+
+            let permission = match claims.get("a").and_then(|s| s.as_str()) {
+                Some("ro") => Permission::ReadOnly,
+                Some("rw") => Permission::FullAccess,
+                Some(_) => return Ok(Authenticated::Anonymous),
                 // Backward compatibility - no access claim means full access
-                None => Authenticated::Authorized(Authorized::FullAccess),
-            })
+                None => Permission::FullAccess,
+            };
+
+            Ok(Authenticated::Authorized(Authorized {
+                namespace,
+                permission,
+            }))
         }
         Ok(_) => Err(AuthError::JwtInvalid),
         Err(error) => Err(match error.kind() {
@@ -280,7 +367,7 @@ mod tests {
     use hyper::header::HeaderValue;
 
     fn authenticate_http(auth: &Auth, header: &str) -> Result<Authenticated, AuthError> {
-        auth.authenticate_http(Some(&HeaderValue::from_str(header).unwrap()))
+        auth.authenticate_http(Some(&HeaderValue::from_str(header).unwrap()), false)
     }
 
     const VALID_JWT_KEY: &str = "zaMv-aFGmB7PXkjM4IrMdF6B5zCYEiEGXW3RgMjNAtc";
@@ -312,9 +399,9 @@ mod tests {
     #[test]
     fn test_default() {
         let auth = Auth::default();
-        assert_err!(auth.authenticate_http(None));
+        assert_err!(auth.authenticate_http(None, false));
         assert_err!(authenticate_http(&auth, "Basic d29qdGVrOnRoZWJlYXI="));
-        assert_err!(auth.authenticate_jwt(Some(VALID_JWT)));
+        assert_err!(auth.authenticate_jwt(Some(VALID_JWT), false));
     }
 
     #[test]
@@ -332,7 +419,7 @@ mod tests {
         assert_err!(authenticate_http(&auth, "Basic d29qdgvronrozwjlyxi="));
         assert_err!(authenticate_http(&auth, "Basic d29qdGVrOnRoZWZveA=="));
 
-        assert_err!(auth.authenticate_http(None));
+        assert_err!(auth.authenticate_http(None, false));
         assert_err!(authenticate_http(&auth, ""));
         assert_err!(authenticate_http(&auth, "foobar"));
         assert_err!(authenticate_http(&auth, "foo bar"));
@@ -356,7 +443,10 @@ mod tests {
 
         assert_eq!(
             authenticate_http(&auth, &format!("Bearer {VALID_READONLY_JWT}")).unwrap(),
-            Authenticated::Authorized(Authorized::ReadOnly)
+            Authenticated::Authorized(Authorized {
+                namespace: None,
+                permission: Permission::ReadOnly
+            })
         );
     }
 
@@ -366,7 +456,7 @@ mod tests {
             jwt_key: Some(parse_jwt_key(VALID_JWT_KEY).unwrap()),
             ..Auth::default()
         };
-        assert_ok!(auth.authenticate_jwt(Some(VALID_JWT)));
-        assert_err!(auth.authenticate_jwt(Some(&VALID_JWT[..80])));
+        assert_ok!(auth.authenticate_jwt(Some(VALID_JWT), false));
+        assert_err!(auth.authenticate_jwt(Some(&VALID_JWT[..80]), false));
     }
 }

sqld/src/connection/libsql.rs

@@ -8,7 +8,7 @@ use sqld_libsql_bindings::wal_hook::WalMethodsHook;
 use tokio::sync::{oneshot, watch};
 use tracing::warn;
 
-use crate::auth::{Authenticated, Authorized};
+use crate::auth::{Authenticated, Authorized, Permission};
 use crate::error::Error;
 use crate::libsql::wal_hook::WalHook;
 use crate::query::Query;
@@ -507,7 +507,13 @@ fn check_program_auth(auth: Authenticated, pgm: &Program) -> Result<()> {
             }
             (StmtKind::Read, Authenticated::Authorized(_)) => (),
             (StmtKind::TxnBegin, _) | (StmtKind::TxnEnd, _) => (),
-            (_, Authenticated::Authorized(Authorized::FullAccess)) => (),
+            (
+                _,
+                Authenticated::Authorized(Authorized {
+                    permission: Permission::FullAccess,
+                    ..
+                }),
+            ) => (),
             _ => {
                 return Err(Error::NotAuthorized(format!(
                     "Current session is not authorized to run: {}",

sqld/src/connection/write_proxy.rs

@@ -282,10 +282,10 @@ impl Connection for WriteProxyConnection {
             // transaction, so we rollback the replica, and execute again on the primary.
             let (builder, new_state) = self
                 .read_conn
-                .execute_program(pgm.clone(), auth, builder)
+                .execute_program(pgm.clone(), auth.clone(), builder)
                 .await?;
             if new_state != State::Init {
-                self.read_conn.rollback(auth).await?;
+                self.read_conn.rollback(auth.clone()).await?;
                 self.execute_remote(pgm, &mut state, auth, builder).await
             } else {
                 Ok((builder, new_state))

sqld/src/hrana/http/mod.rs

@@ -112,7 +112,7 @@ async fn handle_pipeline<C: Connection>(
     let mut results = Vec::with_capacity(req_body.requests.len());
     for request in req_body.requests.into_iter() {
         tracing::debug!("pipeline:{{ {:?}, {:?} }}", version, request);
-        let result = request::handle(&mut stream_guard, auth, request, version).await?;
+        let result = request::handle(&mut stream_guard, auth.clone(), request, version).await?;
         results.push(result);
     }
 

sqld/src/hrana/ws/conn.rs

@@ -11,7 +11,6 @@ use tokio::sync::oneshot;
 use tokio_tungstenite::tungstenite;
 use tungstenite::protocol::frame::coding::CloseCode;
 
-use crate::connection::MakeConnection;
 use crate::database::Database;
 use crate::namespace::{MakeNamespace, NamespaceName};
 
@@ -35,7 +34,8 @@ struct Conn<F: MakeNamespace> {
     join_set: tokio::task::JoinSet<()>,
     /// Future responses to requests that we have received but are evaluating asynchronously.
     responses: FuturesUnordered<ResponseFuture>,
-    connection_maker: Arc<dyn MakeConnection<Connection = <F::Database as Database>::Connection>>,
+    /// Namespace queried by this connections
+    namespace: NamespaceName,
 }
 
 /// A `Future` that stores a handle to a future response to request which is being evaluated
@@ -95,10 +95,6 @@ async fn handle_ws<F: MakeNamespace>(
     conn_id: u64,
     namespace: NamespaceName,
 ) -> Result<()> {
-    let connection_maker = server
-        .namespaces
-        .with(namespace, |ns| ns.db.connection_maker())
-        .await?;
     let mut conn = Conn {
         conn_id,
         server,
@@ -109,7 +105,7 @@ async fn handle_ws<F: MakeNamespace>(
         session: None,
         join_set: tokio::task::JoinSet::new(),
         responses: FuturesUnordered::new(),
-        connection_maker,
+        namespace,
     };
 
     loop {
@@ -259,7 +255,7 @@ async fn handle_request_msg<F: MakeNamespace>(
         session,
         &mut conn.join_set,
         request,
-        conn.connection_maker.clone(),
+        conn.namespace.clone(),
     )
     .await
     .unwrap_or_else(|err| {