diff options
| -rw-r--r-- | share/www/script/couch_test_runner.js | 7 | ||||
| -rw-r--r-- | share/www/script/jquery.couch.js | 1 | ||||
| -rw-r--r-- | share/www/script/test/oauth.js | 2 | ||||
| -rw-r--r-- | share/www/script/test/users_db.js | 1 | ||||
| -rw-r--r-- | src/couchdb/couch_db.hrl | 3 | ||||
| -rw-r--r-- | src/couchdb/couch_httpd.erl | 2 | ||||
| -rw-r--r-- | src/couchdb/couch_httpd_auth.erl | 22 | ||||
| -rw-r--r-- | src/couchdb/couch_httpd_db.erl | 1 | ||||
| -rw-r--r-- | src/couchdb/couch_httpd_oauth.erl | 2 | ||||
| -rw-r--r-- | src/couchdb/couch_server.erl | 1 |
10 files changed, 24 insertions, 18 deletions
diff --git a/share/www/script/couch_test_runner.js b/share/www/script/couch_test_runner.js index ed67d744..237f9312 100644 --- a/share/www/script/couch_test_runner.js +++ b/share/www/script/couch_test_runner.js @@ -164,10 +164,13 @@ function setupAdminParty(fun) { }, "admins"); } }); - } else { - // not a logged in admin. + } else if (userCtx.roles.indexOf("_admin") != -1) { + // admin party! readyToRun = true; fun(); + } else { + // not an admin + alert("Error: You need to be an admin to run the tests."); }; } }); diff --git a/share/www/script/jquery.couch.js b/share/www/script/jquery.couch.js index 8328af60..7e8a0236 100644 --- a/share/www/script/jquery.couch.js +++ b/share/www/script/jquery.couch.js @@ -136,7 +136,6 @@ }, logout: function(options) { options = options || {}; - // TODO this should also login as the logged-out guy using basic auth $.ajax({ type: "DELETE", url: "/_session", dataType: "json", username : "_", password : "_", diff --git a/share/www/script/test/oauth.js b/share/www/script/test/oauth.js index 89e0aaf8..d55d13e8 100644 --- a/share/www/script/test/oauth.js +++ b/share/www/script/test/oauth.js @@ -115,8 +115,6 @@ couchTests.oauth = function(debug) { usersDb.createDb(); // Create a user - // T(CouchDB.createUser("jason", "testpassword", "test@somemail.com", ['test'], adminBasicAuthHeaderValue()).ok); - // Create a user var jasonUserDoc = CouchDB.prepareUserDoc({ username: "jason", roles: ["test"] diff --git a/share/www/script/test/users_db.js b/share/www/script/test/users_db.js index 9e8024f6..2cf63fcf 100644 --- a/share/www/script/test/users_db.js +++ b/share/www/script/test/users_db.js @@ -43,6 +43,7 @@ couchTests.users_db = function(debug) { } }); T(s.name == "jchris@apache.org"); + T(s.user_doc._id == "org.couchdb.user:jchris@apache.org") T(s.info.authenticated == "{couch_httpd_auth, default_authentication_handler}"); T(s.info.user_db == "test_suite_users"); TEquals(["{couch_httpd_oauth, oauth_authentication_handler}", diff --git a/src/couchdb/couch_db.hrl b/src/couchdb/couch_db.hrl index 17917312..99ef8997 100644 --- a/src/couchdb/couch_db.hrl +++ b/src/couchdb/couch_db.hrl @@ -110,7 +110,8 @@ { name=null, roles=[], - handler + handler, + user_doc }). % This should be updated anytime a header change happens that requires more diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl index d6af4f29..252ecdb7 100644 --- a/src/couchdb/couch_httpd.erl +++ b/src/couchdb/couch_httpd.erl @@ -233,7 +233,7 @@ authenticate_request(#httpd{} = Req, [AuthSrc|Rest]) -> AuthFun = make_arity_1_fun(AuthSrc), R = case AuthFun(Req) of #httpd{user_ctx=#user_ctx{}=UserCtx}=Req2 -> - Req2#httpd{user_ctx=UserCtx#user_ctx{handler=AuthSrc}}; + Req2#httpd{user_ctx=UserCtx#user_ctx{handler=?l2b(AuthSrc)}}; Else -> Else end, authenticate_request(R, Rest); diff --git a/src/couchdb/couch_httpd_auth.erl b/src/couchdb/couch_httpd_auth.erl index 95d57d21..554886ca 100644 --- a/src/couchdb/couch_httpd_auth.erl +++ b/src/couchdb/couch_httpd_auth.erl @@ -75,7 +75,8 @@ default_authentication_handler(Req) -> ExpectedHash when ExpectedHash == PasswordHash -> Req#httpd{user_ctx=#user_ctx{ name=?l2b(User), - roles=proplists:get_value(<<"roles">>, UserProps, []) + roles=proplists:get_value(<<"roles">>, UserProps, []), + user_doc={UserProps} }}; _Else -> throw({unauthorized, <<"Name or password is incorrect.">>}) @@ -114,8 +115,9 @@ get_user(UserName) -> UserProps when is_list(UserProps) -> DocRoles = proplists:get_value(<<"roles">>, UserProps), [{<<"roles">>, [<<"_admin">> | DocRoles]}, - {<<"salt">>, ?l2b(Salt)}, - {<<"password_sha">>, ?l2b(HashedPwd)}] + {<<"salt">>, ?l2b(Salt)}, + {<<"password_sha">>, ?l2b(HashedPwd)}, + {<<"user_doc">>, {UserProps}}] end; Else -> get_user_props_from_db(UserName) @@ -250,8 +252,8 @@ cookie_authentication_handler(#httpd{mochi_req=MochiReq}=Req) -> Secret = ?l2b(SecretStr), case get_user(?l2b(User)) of nil -> Req; - Result -> - UserSalt = proplists:get_value(<<"salt">>, Result, <<"">>), + UserProps -> + UserSalt = proplists:get_value(<<"salt">>, UserProps, <<"">>), FullSecret = <<Secret/binary, UserSalt/binary>>, ExpectedHash = crypto:sha_mac(FullSecret, User ++ ":" ++ TimeStr), Hash = ?l2b(string:join(HashParts, ":")), @@ -264,7 +266,8 @@ cookie_authentication_handler(#httpd{mochi_req=MochiReq}=Req) -> ?LOG_DEBUG("Successful cookie auth as: ~p", [User]), Req#httpd{user_ctx=#user_ctx{ name=?l2b(User), - roles=proplists:get_value(<<"roles">>, Result, []) + roles=proplists:get_value(<<"roles">>, UserProps, []), + user_doc=proplists:get_value(<<"user_doc">>, UserProps, null) }, auth={FullSecret, TimeLeft < Timeout*0.9}}; _Else -> Req @@ -351,7 +354,8 @@ handle_session_req(#httpd{method='POST', mochi_req=MochiReq}=Req) -> {[ {ok, true}, {name, proplists:get_value(<<"username">>, User, null)}, - {roles, proplists:get_value(<<"roles">>, User, [])} + {roles, proplists:get_value(<<"roles">>, User, [])}, + {user_doc, proplists:get_value(<<"user_doc">>, User, null)} ]}); _Else -> % clear the session @@ -375,7 +379,7 @@ handle_session_req(#httpd{method='GET', user_ctx=UserCtx}=Req) -> {handlers, [?l2b(H) || H <- couch_httpd:make_fun_spec_strs( couch_config:get("httpd", "authentication_handlers"))]} ] ++ maybe_value(authenticated, UserCtx#user_ctx.handler)}} - ]}) + ] ++ maybe_value(user_doc, UserCtx#user_ctx.user_doc)}) end; % logout by deleting the session handle_session_req(#httpd{method='DELETE'}=Req) -> @@ -391,7 +395,7 @@ handle_session_req(Req) -> send_method_not_allowed(Req, "GET,HEAD,POST,DELETE"). maybe_value(Key, undefined) -> []; -maybe_value(Key, Else) -> [{Key, ?l2b(Else)}]. +maybe_value(Key, Else) -> [{Key, Else}]. to_int(Value) when is_binary(Value) -> to_int(?b2l(Value)); diff --git a/src/couchdb/couch_httpd_db.erl b/src/couchdb/couch_httpd_db.erl index c7e127c2..9233e953 100644 --- a/src/couchdb/couch_httpd_db.erl +++ b/src/couchdb/couch_httpd_db.erl @@ -328,6 +328,7 @@ delete_db_req(#httpd{user_ctx=UserCtx}=Req, DbName) -> do_db_req(#httpd{user_ctx=UserCtx,path_parts=[DbName|_]}=Req, Fun) -> LDbName = ?b2l(DbName), + % I hope this lookup is cheap. case couch_config:get("couch_httpd_auth", "authentication_db") of LDbName -> % make sure user's db always has the auth ddoc diff --git a/src/couchdb/couch_httpd_oauth.erl b/src/couchdb/couch_httpd_oauth.erl index ab786162..ddf84008 100644 --- a/src/couchdb/couch_httpd_oauth.erl +++ b/src/couchdb/couch_httpd_oauth.erl @@ -36,7 +36,7 @@ oauth_authentication_handler(#httpd{mochi_req=MochiReq}=Req) -> % Look up the consumer key and get the roles to give the consumer set_user_ctx(Req, AccessToken) -> - % weird that this is in the config and not a db + % TODO move to db storage Name = case couch_config:get("oauth_token_users", AccessToken) of undefined -> throw({bad_request, unknown_oauth_token}); Value -> ?l2b(Value) diff --git a/src/couchdb/couch_server.erl b/src/couchdb/couch_server.erl index 4c04bca7..afdf9365 100644 --- a/src/couchdb/couch_server.erl +++ b/src/couchdb/couch_server.erl @@ -79,7 +79,6 @@ check_dbname(#server{dbname_regexp=RegExp}, DbName) -> ok end. -% move to auth? is_admin(User, ClearPwd) -> case couch_config:get("admins", User) of "-hashed-" ++ HashedPwdAndSalt -> |