Add alter user implementation to the rest role manager

criteo-forks · Oct 27, 2021 · 2904d07 · 2904d07
1 parent 221ff7d
commit 2904d07
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 3 deletions.
diff --git a/auth/rest_authenticator.cc b/auth/rest_authenticator.cc
@@ -328,7 +328,9 @@ namespace auth {
 
     future<> rest_authenticator::create(std::string_view role_name, const authentication_options &options) const {
         role_set roles;
-        return create_with_groups(sstring(role_name), roles, options);
+        return do_with(std::move(roles), [this, role_name, options](role_set &roles) {
+            return create_with_groups(sstring(role_name), roles, options);
+        });
     }
 
     future<> rest_authenticator::create_with_groups(sstring role_name, role_set &roles,
@@ -355,7 +357,9 @@ namespace auth {
 
     future<> rest_authenticator::alter(std::string_view role_name, const authentication_options &options) const {
         role_set roles;
-        return alter_with_groups(sstring(role_name), roles, options);
+        return do_with(std::move(roles), [this, role_name, options](role_set &roles) {
+            return alter_with_groups(sstring(role_name), roles, options);
+        });
     }
 
     future<> rest_authenticator::alter_with_groups(sstring role_name, role_set &roles,

diff --git a/auth/rest_role_manager.cc b/auth/rest_role_manager.cc
@@ -234,7 +234,9 @@ namespace auth {
 
     future<>
     rest_role_manager::alter(std::string_view role_name, const role_config_update &u) const {
-        throw std::logic_error("Not Implemented");
+        // Role manager only managed update of can_login and is_superuser field
+        // Those fields must not be managed by us but set by the rest authenticator when creating user
+        return make_ready_future<>();
     }
 
     future<> rest_role_manager::drop(std::string_view role_name) const {

diff --git a/test/boost/rest_authenticator_test.cc b/test/boost/rest_authenticator_test.cc
@@ -456,3 +456,42 @@ SEASTAR_TEST_CASE(user_password_is_updated) {
             BOOST_REQUIRE(salted_hash != salted_hash2);
         });
 }
+
+
+SEASTAR_TEST_CASE(update_superuser_password) {
+        return with_dummy_authentication_server([](cql_test_env &env) {
+            auto &qp = env.local_qp();
+            create_superuser_role(qp).get();
+
+            auto &a = env.local_auth_service().underlying_authenticator();
+
+            auto creds = auth::authenticator::credentials_map{
+                    {auth::authenticator::USERNAME_KEY, sstring("cassandra")},
+                    {auth::authenticator::PASSWORD_KEY, sstring("cassandra")}
+            };
+
+            auto auth_user = a.authenticate(creds).get();
+            BOOST_REQUIRE_EQUAL(auth_user.name.value(), "cassandra");
+            BOOST_REQUIRE(is_superuser(qp, "cassandra").get());
+
+            // Alter superuser password
+            auth::authentication_options authen_options;
+            authen_options.password = std::optional < std::string > {"123456"};
+            a.alter("cassandra", authen_options).get();
+
+            // Ensure old password doesn't work
+            BOOST_REQUIRE_EXCEPTION(a.authenticate(creds).get(), exceptions::authentication_exception,
+                                    seastar::testing::exception_predicate::message_contains(
+                                            "Bad password for superuser"));
+
+            // Ensure new password works and user rights haven't been affected
+            auto creds_new = auth::authenticator::credentials_map{
+                    {auth::authenticator::USERNAME_KEY, sstring("cassandra")},
+                    {auth::authenticator::PASSWORD_KEY, sstring("123456")}
+            };
+
+            auto auth_user_new = a.authenticate(creds_new).get();
+            BOOST_REQUIRE_EQUAL(auth_user_new.name.value(), "cassandra");
+            BOOST_REQUIRE(is_superuser(qp, "cassandra").get());
+        });
+}