@@ -90,9 +90,9 @@ std::string AuthInfo::jwtSecret() {
9090// private, must be called with _authInfoLock in write mode
9191bool AuthInfo::parseUsers (VPackSlice const & slice) {
9292 TRI_ASSERT (slice.isArray ());
93+ TRI_ASSERT (_authInfo.empty ());
94+ TRI_ASSERT (_authBasicCache.empty ());
9395
94- _authInfo.clear ();
95- _authBasicCache.clear ();
9696 for (VPackSlice const & authSlice : VPackArrayIterator (slice)) {
9797 VPackSlice s = authSlice.resolveExternal ();
9898
@@ -108,10 +108,7 @@ bool AuthInfo::parseUsers(VPackSlice const& slice) {
108108 // we also need to insert inactive users into the cache here
109109 // otherwise all following update/replace/remove operations on the
110110 // user will fail
111-
112- // intentional copy, as we'll be moving out of auth soon
113- std::string username = auth.username ();
114- _authInfo.emplace (std::move (username), std::move (auth));
111+ _authInfo.emplace (auth.username (), std::move (auth));
115112 }
116113
117114 return true ;
@@ -124,7 +121,7 @@ static std::shared_ptr<VPackBuilder> QueryAllUsers(
124121 LOG_TOPIC (DEBUG, arangodb::Logger::FIXME) << " system database is unknown"
125122 THROW_ARANGO_EXCEPTION (TRI_ERROR_INTERNAL);
126123 }
127-
124+
128125 // we cannot set this execution context, otherwise the transaction
129126 // will ask us again for permissions and we get a deadlock
130127 ExecContext* oldExe = ExecContext::CURRENT;
@@ -146,7 +143,9 @@ static std::shared_ptr<VPackBuilder> QueryAllUsers(
146143 (queryResult.code == TRI_ERROR_QUERY_KILLED)) {
147144 THROW_ARANGO_EXCEPTION (TRI_ERROR_REQUEST_CANCELED);
148145 }
149- return std::shared_ptr<VPackBuilder>();
146+ THROW_ARANGO_EXCEPTION_MESSAGE (queryResult.code ,
147+ " Error executing user query"
148+ // return std::shared_ptr<VPackBuilder>();
150149 }
151150
152151 VPackSlice usersSlice = queryResult.result ->slice ();
@@ -173,7 +172,7 @@ static VPackBuilder QueryUser(aql::QueryRegistry* queryRegistry,
173172 ExecContext* oldExe = ExecContext::CURRENT;
174173 ExecContext::CURRENT = nullptr ;
175174 TRI_DEFER (ExecContext::CURRENT = oldExe);
176-
175+
177176 std::string const queryStr (" FOR u IN _users FILTER u.user == @name RETURN u"
178177 auto emptyBuilder = std::make_shared<VPackBuilder>();
179178
@@ -192,7 +191,8 @@ static VPackBuilder QueryUser(aql::QueryRegistry* queryRegistry,
192191 (queryResult.code == TRI_ERROR_QUERY_KILLED)) {
193192 THROW_ARANGO_EXCEPTION (TRI_ERROR_REQUEST_CANCELED);
194193 }
195- THROW_ARANGO_EXCEPTION_MESSAGE (queryResult.code , " query error"
194+ THROW_ARANGO_EXCEPTION_MESSAGE (queryResult.code ,
195+ " Error executing user query"
196196 }
197197
198198 VPackSlice usersSlice = queryResult.result ->slice ();
@@ -225,6 +225,14 @@ static void ConvertLegacyFormat(VPackSlice doc, VPackBuilder& result) {
225225// private, will acquire _authInfoLock in write-mode and release it.
226226// will also aquire _loadFromDBLock and release it
227227void AuthInfo::loadFromDB () {
228+ TRI_ASSERT (_queryRegistry != nullptr );
229+ TRI_ASSERT (ServerState::instance ()->isSingleServerOrCoordinator ());
230+ auto role = ServerState::instance ()->getRole ();
231+ if (role != ServerState::ROLE_SINGLE &&
232+ role != ServerState::ROLE_COORDINATOR) {
233+ _outdated = false ;
234+ return ;
235+ }
228236 if (!_outdated) {
229237 return ;
230238 }
@@ -236,46 +244,46 @@ void AuthInfo::loadFromDB() {
236244 return ;
237245 }
238246
239- auto role = ServerState::instance ()->getRole ();
240-
241- if (role != ServerState::ROLE_SINGLE &&
242- role != ServerState::ROLE_COORDINATOR) {
243- _outdated = false ;
244- return ;
245- }
246-
247- TRI_ASSERT (_queryRegistry != nullptr );
248- std::shared_ptr<VPackBuilder> builder = QueryAllUsers (_queryRegistry);
249-
250247 WRITE_LOCKER (writeLocker, _authInfoLock);
251- _authBasicCache.clear ();
252-
253- if (builder) {
254- VPackSlice usersSlice = builder->slice ();
255- if (usersSlice.length () != 0 ) {
256- parseUsers (usersSlice);
248+ try {
249+ std::shared_ptr<VPackBuilder> builder = QueryAllUsers (_queryRegistry);
250+ _authInfo.clear ();
251+ _authBasicCache.clear ();
252+ if (builder) {
253+ VPackSlice usersSlice = builder->slice ();
254+ if (usersSlice.length () != 0 ) {
255+ parseUsers (usersSlice);
256+ }
257257 }
258+ _outdated = _authInfo.empty () == true ;
259+ } catch (...) {
260+ LOG_TOPIC (WARN, Logger::AUTHENTICATION)
261+ << " Exception when loading users from db"
262+ _outdated = true ;
258263 }
259-
260- if (_authInfo.empty ()) {
261- insertInitial ();
262- }
263- _outdated = false ;
264264}
265265
266- // private, must be called with _authInfoLock in write mode
267- void AuthInfo::insertInitial () {
268- if (!_authInfo.empty ()) {
266+ // only call from the boostrap feature, must be sure to be the only one
267+ void AuthInfo::createRootUser () {
268+ loadFromDB ();
269+
270+ MUTEX_LOCKER (locker, _loadFromDBLock);
271+ WRITE_LOCKER (writeLocker, _authInfoLock);
272+ auto it = _authInfo.find (" root"
273+ if (it != _authInfo.end ()) {
274+ LOG_TOPIC (TRACE, Logger::AUTHENTICATION) << " Root already exists"
269275 return ;
270276 }
271-
277+ TRI_ASSERT (_authInfo.empty ());
278+
272279 try {
273280 // Attention:
274281 // the root user needs to have a specific rights grant
275282 // to the "_system" database, otherwise things break
276283 auto initDatabaseFeature =
277284 application_features::ApplicationServer::getFeature<
278285 InitDatabaseFeature>(" InitDatabase"
286+ TRI_ASSERT (initDatabaseFeature != nullptr );
279287
280288 AuthUserEntry entry = AuthUserEntry::newUser (
281289 " root" defaultPassword (), AuthSource::COLLECTION);
@@ -300,15 +308,14 @@ Result AuthInfo::storeUserInternal(AuthUserEntry const& entry, bool replace) {
300308 if (vocbase == nullptr ) {
301309 return Result (TRI_ERROR_INTERNAL);
302310 }
303-
311+
304312 // we cannot set this execution context, otherwise the transaction
305313 // will ask us again for permissions and we get a deadlock
306314 ExecContext* oldExe = ExecContext::CURRENT;
307315 ExecContext::CURRENT = nullptr ;
308316 TRI_DEFER (ExecContext::CURRENT = oldExe);
309317
310- std::shared_ptr<transaction::Context> ctx (
311- new transaction::StandaloneContext (vocbase));
318+ auto ctx = transaction::StandaloneContext::Create (vocbase);
312319 SingleCollectionTransaction trx (ctx, TRI_COL_NAME_USERS,
313320 AccessMode::Type::WRITE);
314321 trx.addHint (transaction::Hints::Hint::SINGLE_OPERATION);
@@ -443,15 +450,14 @@ static Result UpdateUser(VPackSlice const& user) {
443450 if (vocbase == nullptr ) {
444451 return Result (TRI_ERROR_INTERNAL);
445452 }
446-
453+
447454 // we cannot set this execution context, otherwise the transaction
448455 // will ask us again for permissions and we get a deadlock
449456 ExecContext* oldExe = ExecContext::CURRENT;
450457 ExecContext::CURRENT = nullptr ;
451458 TRI_DEFER (ExecContext::CURRENT = oldExe);
452459
453- std::shared_ptr<transaction::Context> ctx (
454- new transaction::StandaloneContext (vocbase));
460+ auto ctx = transaction::StandaloneContext::Create (vocbase);
455461 SingleCollectionTransaction trx (ctx, TRI_COL_NAME_USERS,
456462 AccessMode::Type::WRITE);
457463 trx.addHint (transaction::Hints::Hint::SINGLE_OPERATION);
@@ -480,6 +486,8 @@ Result AuthInfo::enumerateUsers(
480486 return r;
481487 }
482488 }
489+ // must also clear the basic cache here because the secret may be
490+ // invalid now if the password was changed
483491 _authBasicCache.clear ();
484492 }
485493 // we need to reload data after the next callback
@@ -494,7 +502,6 @@ Result AuthInfo::updateUser(std::string const& user,
494502 }
495503 loadFromDB ();
496504 Result r;
497- VPackBuilder data;
498505 { // we require an consisten view on the user object
499506 WRITE_LOCKER (guard, _authInfoLock);
500507 auto it = _authInfo.find (user);
@@ -503,7 +510,7 @@ Result AuthInfo::updateUser(std::string const& user,
503510 }
504511 TRI_ASSERT (!it->second .key ().empty ());
505512 func (it->second );
506- data = it->second .toVPackBuilder ();
513+ VPackBuilder data = it->second .toVPackBuilder ();
507514 r = UpdateUser (data.slice ());
508515 // must also clear the basic cache here because the secret may be
509516 // invalid now if the password was changed
@@ -529,8 +536,8 @@ Result AuthInfo::accessUser(
529536}
530537
531538VPackBuilder AuthInfo::serializeUser (std::string const & user) {
532- // loadFromDB();
533- // READ_LOCKER(guard, _authInfoLock)
539+ loadFromDB ();
540+ // will query db directly, no need for _authInfoLock
534541 VPackBuilder doc = QueryUser (_queryRegistry, user);
535542 VPackBuilder result;
536543 if (!doc.isEmpty ()) {
@@ -545,15 +552,14 @@ static Result RemoveUserInternal(AuthUserEntry const& entry) {
545552 if (vocbase == nullptr ) {
546553 return Result (TRI_ERROR_INTERNAL);
547554 }
548-
555+
549556 // we cannot set this execution context, otherwise the transaction
550557 // will ask us again for permissions and we get a deadlock
551558 ExecContext* oldExe = ExecContext::CURRENT;
552559 ExecContext::CURRENT = nullptr ;
553560 TRI_DEFER (ExecContext::CURRENT = oldExe);
554561
555- std::shared_ptr<transaction::Context> ctx (
556- new transaction::StandaloneContext (vocbase));
562+ auto ctx = transaction::StandaloneContext::Create (vocbase);
557563 SingleCollectionTransaction trx (ctx, TRI_COL_NAME_USERS,
558564 AccessMode::Type::WRITE);
559565
@@ -648,7 +654,6 @@ Result AuthInfo::setConfigData(std::string const& user,
648654 partial.close ();
649655
650656 return UpdateUser (partial.slice ());
651- ;
652657}
653658
654659VPackBuilder AuthInfo::getUserData (std::string const & username) {
@@ -754,6 +759,8 @@ AuthLevel AuthInfo::canUseCollection(std::string const& username,
754759}
755760
756761// public called from HttpCommTask.cpp and VstCommTask.cpp
762+ // should only lock if required, otherwise we will serialize all
763+ // requests whether we need to or not
757764AuthResult AuthInfo::checkAuthentication (AuthenticationMethod authType,
758765 std::string const & secret) {
759766 switch (authType) {
0 commit comments