hypermodeinc · gitlw · Dec 6, 2018 · Nov 29, 2018 · Nov 21, 2018 · Nov 21, 2018
diff --git a/dgraph/cmd/alpha/run.go b/dgraph/cmd/alpha/run.go
@@ -21,6 +21,7 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -54,6 +55,11 @@ import (
 	hapi "google.golang.org/grpc/health/grpc_health_v1"
 )
 
+const (
+	tlsNodeCert = "node.crt"
+	tlsNodeKey  = "node.key"
+)
+
 var (
 	bindall bool
 	tlsConf x.TLSHelperConfig
@@ -120,6 +126,9 @@ they form a Raft group and provide synchronous replication.
 		"If set, all Alter requests to Dgraph would need to have this token."+
 			" The token can be passed as follows: For HTTP requests, in X-Dgraph-AuthToken header."+
 			" For Grpc, in auth-token key in the context.")
+	flag.String("hmac_secret_file", "", "The file storing the HMAC secret"+
+		" that is used for signing the JWT. Enterprise feature.")
+	flag.Duration("jwt_ttl", 6*time.Hour, "The TTL of jwt tokens. Enterprise feature.")
 	flag.Float64P("lru_mb", "l", -1,
 		"Estimated memory the LRU cache can take. "+
 			"Actual usage by the process would be more than specified here.")
@@ -380,7 +389,7 @@ var shutdownCh chan struct{}
 func run() {
 	bindall = Alpha.Conf.GetBool("bindall")
 
-	edgraph.SetConfiguration(edgraph.Options{
+	edgraphOptions := edgraph.Options{
 		BadgerTables: Alpha.Conf.GetString("badger.tables"),
 		BadgerVlog:   Alpha.Conf.GetString("badger.vlog"),
 
@@ -390,7 +399,21 @@ func run() {
 		Nomutations:    Alpha.Conf.GetBool("nomutations"),
 		AuthToken:      Alpha.Conf.GetString("auth_token"),
 		AllottedMemory: Alpha.Conf.GetFloat64("lru_mb"),
-	})
+	}
+
+	secretFile := Alpha.Conf.GetString("hmac_secret_file")
+	if secretFile != "" {
+		hmacSecret, err := ioutil.ReadFile(secretFile)
+		if err != nil {
+			glog.Fatalf("Unable to read HMAC secret from file: %v", secretFile)
+		}
+
+	    edgraphOptions.HmacSecret = hmacSecret
+	    edgraphOptions.JwtTtl = Alpha.Conf.GetDuration("jwt_ttl")
+
+		glog.Info("HMAC secret loaded successfully.")
+	}
+	edgraph.SetConfiguration(edgraphOptions)
 
 	ips, err := parseIPsFromString(Alpha.Conf.GetString("whitelist"))
 	x.Check(err)
@@ -406,7 +429,7 @@ func run() {
 		MaxRetries:          Alpha.Conf.GetInt("max_retries"),
 	}
 
-	x.LoadTLSConfig(&tlsConf, Alpha.Conf)
+	x.LoadTLSConfig(&tlsConf, Alpha.Conf, tlsNodeCert, tlsNodeKey)
 	tlsConf.ClientAuth = Alpha.Conf.GetString("tls_client_auth")
 
 	setupCustomTokenizers()

diff --git a/dgraph/cmd/live/run.go b/dgraph/cmd/live/run.go
@@ -34,8 +34,6 @@ import (
 	"strings"
 	"time"
 
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/metadata"
 
 	"github.com/dgraph-io/badger"
@@ -48,11 +46,6 @@ import (
 	"github.com/spf13/cobra"
 )
 
-const (
-	tlsLiveCert = "client.live.crt"
-	tlsLiveKey  = "client.live.key"
-)
-
 type options struct {
 	files               string
 	schemaFile          string
@@ -239,34 +232,6 @@ func (l *loader) processFile(ctx context.Context, file string) error {
 	return nil
 }
 
-func setupConnection(host string, insecure bool) (*grpc.ClientConn, error) {
-	if insecure {
-		return grpc.Dial(host,
-			grpc.WithDefaultCallOptions(
-				grpc.MaxCallRecvMsgSize(x.GrpcMaxSize),
-				grpc.MaxCallSendMsgSize(x.GrpcMaxSize)),
-			grpc.WithInsecure(),
-			grpc.WithBlock(),
-			grpc.WithTimeout(10*time.Second))
-	}
-
-	tlsConf.ConfigType = x.TLSClientConfig
-	tlsConf.Cert = filepath.Join(tlsConf.CertDir, tlsLiveCert)
-	tlsConf.Key = filepath.Join(tlsConf.CertDir, tlsLiveKey)
-	tlsCfg, _, err := x.GenerateTLSConfig(tlsConf)
-	if err != nil {
-		return nil, err
-	}
-
-	return grpc.Dial(host,
-		grpc.WithDefaultCallOptions(
-			grpc.MaxCallRecvMsgSize(x.GrpcMaxSize),
-			grpc.MaxCallSendMsgSize(x.GrpcMaxSize)),
-		grpc.WithTransportCredentials(credentials.NewTLS(tlsCfg)),
-		grpc.WithBlock(),
-		grpc.WithTimeout(10*time.Second))
-}
-
 func fileList(files string) []string {
 	if len(files) == 0 {
 		return []string{}
@@ -285,7 +250,7 @@ func setup(opts batchMutationOptions, dc *dgo.Dgraph) *loader {
 	kv, err := badger.Open(o)
 	x.Checkf(err, "Error while creating badger KV posting store")
 
-	connzero, err := setupConnection(opt.zero, true)
+	connzero, err := x.SetupConnection(opt.zero, true, &tlsConf)
 	x.Checkf(err, "Unable to connect to zero, Is it running at %s?", opt.zero)
 
 	alloc := xidmap.New(
@@ -329,7 +294,7 @@ func run() error {
 		ignoreIndexConflict: Live.Conf.GetBool("ignore_index_conflict"),
 		authToken:           Live.Conf.GetString("auth_token"),
 	}
-	x.LoadTLSConfig(&tlsConf, Live.Conf)
+	x.LoadTLSConfig(&tlsConf, Live.Conf, x.TlsClientCert, x.TlsClientKey)
 	tlsConf.ServerName = Live.Conf.GetString("tls_server_name")
 
 	go http.ListenAndServe("localhost:6060", nil)
@@ -345,7 +310,7 @@ func run() error {
 	ds := strings.Split(opt.dgraph, ",")
 	var clients []api.DgraphClient
 	for _, d := range ds {
-		conn, err := setupConnection(d, !tlsConf.CertRequired)
+		conn, err := x.SetupConnection(d, !tlsConf.CertRequired, &tlsConf)
 		x.Checkf(err, "While trying to setup connection to Dgraph alpha.")
 		defer conn.Close()
 

diff --git a/dgraph/cmd/root.go b/dgraph/cmd/root.go
@@ -29,6 +29,7 @@ import (
 	"github.com/dgraph-io/dgraph/dgraph/cmd/live"
 	"github.com/dgraph-io/dgraph/dgraph/cmd/version"
 	"github.com/dgraph-io/dgraph/dgraph/cmd/zero"
+	"github.com/dgraph-io/dgraph/ee/acl/cmd"
 	"github.com/dgraph-io/dgraph/x"
 	"github.com/spf13/cobra"
 	flag "github.com/spf13/pflag"
@@ -86,7 +87,7 @@ func init() {
 
 	var subcommands = []*x.SubCommand{
 		&bulk.Bulk, &cert.Cert, &conv.Conv, &live.Live, &alpha.Alpha, &zero.Zero,
-		&version.Version, &debug.Debug,
+		&version.Version, &debug.Debug, &acl.CmdAcl,
 	}
 	for _, sc := range subcommands {
 		RootCmd.AddCommand(sc.Cmd)

diff --git a/edgraph/access_oss.go b/edgraph/access_oss.go
@@ -0,0 +1,16 @@
+// +build oss
+
+package edgraph
+
+import (
+	"context"
+	"github.com/dgraph-io/dgo/protos/api"
+	"github.com/dgraph-io/dgraph/oss"
+	"github.com/golang/glog"
+)
+
+func (s *Server) Login(ctx context.Context,
+	request *api.LogInRequest) (*api.LogInResponse, error) {
+	glog.Infof("Login failed: %s", oss.ErrNotSupported)
+	return &api.LogInResponse{}, nil
+}
diff --git a/edgraph/config.go b/edgraph/config.go
@@ -19,6 +19,7 @@ package edgraph
 import (
 	"expvar"
 	"path/filepath"
+	"time"
 
 	"github.com/dgraph-io/dgraph/posting"
 	"github.com/dgraph-io/dgraph/worker"
@@ -34,6 +35,9 @@ type Options struct {
 	AuthToken    string
 
 	AllottedMemory float64
+
+	HmacSecret []byte
+	JwtTtl     time.Duration
 }
 
 var Config Options

diff --git a/edgraph/server.go b/edgraph/server.go
@@ -598,6 +598,11 @@ func parseNQuads(b []byte) ([]*api.NQuad, error) {
 	return nqs, nil
 }
 
+// parseMutationObject tries to consolidate fields of the api.Mutation into the
+// corresponding field of the returned gql.Mutation. For example, the 3 fields,
+// api.Mutation#SetJson, api.Mutation#SetNquads and api.Mutation#Set are consolidated into the
+// gql.Mutation.Set field. Similarly the 3 fields api.Mutation#DeleteJson, api.Mutation#DelNquads
+// and api.Mutation#Del are merged into the gql.Mutation#Del field.
 func parseMutationObject(mu *api.Mutation) (*gql.Mutation, error) {
 	res := &gql.Mutation{}
 	if len(mu.SetJson) > 0 {

diff --git a/ee/acl/acl_test.go b/ee/acl/acl_test.go
@@ -0,0 +1,121 @@
+// +build !oss
+
+/*
+ * Copyright 2018 Dgraph Labs, Inc. All rights reserved.
+ *
+ * Licensed under the Dgraph Community License (the "License"); you
+ * may not use this file except in compliance with the License. You
+ * may obtain a copy of the License at
+ *
+ *     https://github.com/dgraph-io/dgraph/blob/master/licenses/DCL.txt
+ */
+
+package acl
+
+import (
+	"os/exec"
+	"testing"
+)
+
+const (
+	userid         = "alice"
+	userpassword   = "simplepassword"
+	dgraphEndpoint = "localhost:9180"
+)
+
+func TestAcl(t *testing.T) {
+	t.Run("create user", CreateAndDeleteUsers)
+	t.Run("login", LogIn)
+}
+
+func checkOutput(t *testing.T, cmd *exec.Cmd, shouldFail bool) string {
+	out, err := cmd.CombinedOutput()
+	if (!shouldFail && err != nil) || (shouldFail && err == nil) {
+		t.Errorf("Error output from command:%v", string(out))
+		t.Fatal(err)
+	}
+
+	return string(out)
+}
+
+func CreateAndDeleteUsers(t *testing.T) {
+	createUserCmd1 := exec.Command("dgraph", "acl", "useradd", "-d", dgraphEndpoint, "-u", userid,
+		"-p", userpassword)
+	createUserOutput1 := checkOutput(t, createUserCmd1, false)
+	t.Logf("Got output when creating user:%v", createUserOutput1)
+
+	createUserCmd2 := exec.Command("dgraph", "acl", "useradd", "-d", dgraphEndpoint, "-u", userid,
+		"-p", userpassword)
+
+	// create the user again should fail
+	createUserOutput2 := checkOutput(t, createUserCmd2, true)
+	t.Logf("Got output when creating user:%v", createUserOutput2)
+
+	// delete the user
+	deleteUserCmd := exec.Command("dgraph", "acl", "userdel", "-d", dgraphEndpoint, "-u", userid)
+	deleteUserOutput := checkOutput(t, deleteUserCmd, false)
+	t.Logf("Got output when deleting user:%v", deleteUserOutput)
+
+	// now we should be able to create the user again
+	createUserCmd3 := exec.Command("dgraph", "acl", "useradd", "-d", dgraphEndpoint, "-u", userid,
+		"-p", userpassword)
+	createUserOutput3 := checkOutput(t, createUserCmd3, false)
+	t.Logf("Got output when creating user:%v", createUserOutput3)
+}
+
+func LogIn(t *testing.T) {
+	// delete and recreate the user to ensure a clean state
+	/*
+		deleteUserCmd := exec.Command("dgraph", "acl", "userdel", "-d", dgraphEndpoint, "-u", "lucas")
+		deleteUserOutput := checkOutput(t, deleteUserCmd, false)
+		createUserCmd := exec.Command("dgraph", "acl", "useradd", "-d", dgraphEndpoint, "-u", "lucas",
+			"-p", "haha")
+		createUserOutput := checkOutput(t, createUserCmd, false)
+	*/
+
+	// now try to login with the wrong password
+
+	//loginWithWrongPassword(t, ctx, adminClient)
+	//loginWithCorrectPassword(t, ctx, adminClient)
+}
+
+/*
+func loginWithCorrectPassword(t *testing.T, ctx context.Context,
+	adminClient api.DgraphAccessClient) {
+	loginRequest := api.LogInRequest{
+		Userid:   userid,
+		Password: userpassword,
+	}
+	response2, err := adminClient.LogIn(ctx, &loginRequest)
+	require.NoError(t, err)
+	if response2.Code != api.AclResponseCode_OK {
+		t.Errorf("Login with the correct password should result in the code %v",
+			api.AclResponseCode_OK)
+	}
+	jwt := acl.Jwt{}
+	jwt.DecodeString(response2.Context.Jwt, false, nil)
+	if jwt.Payload.Userid != userid {
+		t.Errorf("the jwt token should have the user id encoded")
+	}
+	jwtTime := time.Unix(jwt.Payload.Exp, 0)
+	jwtValidDays := jwtTime.Sub(time.Now()).Round(time.Hour).Hours() / 24
+	if jwtValidDays != 30.0 {
+		t.Errorf("The jwt token should be valid for 30 days, received %v days", jwtValidDays)
+	}
+}
+
+func loginWithWrongPassword(t *testing.T, ctx context.Context,
+	adminClient api.DgraphAccessClient) {
+	loginRequestWithWrongPassword := api.LogInRequest{
+		Userid:   userid,
+		Password: userpassword + "123",
+	}
+
+	response, err := adminClient.LogIn(ctx, &loginRequestWithWrongPassword)
+	require.NoError(t, err)
+	if response.Code != api.AclResponseCode_UNAUTHENTICATED {
+		t.Errorf("Login with the wrong password should result in the code %v", api.AclResponseCode_UNAUTHENTICATED)
+	}
+}
+
+*/