36 #include "AllowedHosts.h"
37 #include "TheBESKeys.h"
38 #include "kvp_utils.h"
39 #include "BESInternalError.h"
41 #include "CurlUtils.h"
42 #include "HttpNames.h"
44 #include "CredentialsManager.h"
45 #include "NgapS3Credentials.h"
46 #include "DmrppNames.h"
50 #define prolog std::string("CredentialsManager::").append(__func__).append("() - ")
53 const char *CredentialsManager::ENV_ID_KEY =
"CMAC_ID";
54 const char *CredentialsManager::ENV_ACCESS_KEY =
"CMAC_ACCESS_KEY";
55 const char *CredentialsManager::ENV_REGION_KEY =
"CMAC_REGION";
56 const char *CredentialsManager::ENV_BUCKET_KEY =
"CMAC_BUCKET";
57 const char *CredentialsManager::ENV_URL_KEY =
"CMAC_URL";
59 const char *CredentialsManager::USE_ENV_CREDS_KEY_VALUE =
"ENV_CREDS";
69 static std::once_flag d_cmac_init_once;
84 std::string get_env_value(
const string &key){
86 const char *cstr = getenv(key.c_str());
89 BESDEBUG(CREDS, prolog <<
"From system environment - " << key <<
": " << value << endl);
106 std::string get_config_value(
const string &key){
108 bool key_found=
false;
111 BESDEBUG(CREDS, prolog <<
"Using " << key <<
" from TheBESKeys" << endl);
131 std::call_once(d_cmac_init_once,CredentialsManager::initialize_instance);
138 void CredentialsManager::initialize_instance()
142 atexit(delete_instance);
150 CredentialsManager::CredentialsManager(): ngaps3CredentialsLoaded(false){
159 for (std::map<std::string, AccessCredentials *>::iterator it = creds.begin(); it != creds.end(); ++it) {
169 void CredentialsManager::delete_instance()
185 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
187 creds.insert(std::pair<std::string,AccessCredentials *>(key, ac));
188 BESDEBUG(CREDS, prolog <<
"Added AccessCredentials to CredentialsManager. credentials: " << endl << ac->to_json() << endl);
201 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
204 std::string best_key(
"");
206 if(url->protocol() == HTTP_PROTOCOL || url->protocol() == HTTPS_PROTOCOL) {
207 for (std::map<std::string, AccessCredentials *>::iterator it = creds.begin(); it != creds.end(); ++it) {
208 std::string key = it->first;
209 if (url->str().rfind(key, 0) == 0) {
211 if (key.length() > best_key.length()) {
213 best_match = it->second;
226 bool file_exists(
const string &filename) {
228 return (stat (filename.c_str(), &buffer) == 0);
251 bool file_is_secured(
const string &filename) {
253 if (stat(filename.c_str(), &st) != 0) {
255 err.append(
"file_is_secured() Unable to access file ");
256 err.append(filename).append(
" strerror: ").append(strerror(errno));
260 mode_t perm = st.st_mode;
262 status = (perm & S_IRUSR) && !(
271 BESDEBUG(CREDS, prolog <<
"file_is_secured() " << filename <<
" secured: " << (status ?
"true" :
"false") << endl);
309 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
311 bool found_key =
true;
313 map<string, AccessCredentials *> credential_sets;
318 BESDEBUG(CREDS, prolog <<
"The BES key " << CATALOG_MANAGER_CREDENTIALS
319 <<
" was not found in the BES configuration tree. No AccessCredentials were loaded" << endl);
324 if(config_file ==
string(CredentialsManager::USE_ENV_CREDS_KEY_VALUE)){
326 accessCredentials =
theCM()->load_credentials_from_env();
327 if(accessCredentials){
329 string url = accessCredentials->
get(AccessCredentials::URL_KEY);
330 theCM()->
add(url,accessCredentials);
339 load_ngap_s3_credentials();
341 if(!file_exists(config_file)){
342 BESDEBUG(CREDS, prolog <<
"The file specified by the BES key " << CATALOG_MANAGER_CREDENTIALS
343 <<
" does not exist. No Access Credentials were loaded." << endl);
347 if (!file_is_secured(config_file)) {
349 err.append(
"CredentialsManager config file ");
350 err.append(config_file);
351 err.append(
" is not secured! ");
352 err.append(
"Set the access permissions to -rw------- (600) and try again.");
355 BESDEBUG(CREDS, prolog <<
"The config file '" << config_file <<
"' is secured." << endl);
357 map <string, vector<string>> keystore;
359 kvp::load_keys(config_file, keystore);
361 for(map <
string, vector<string>>::iterator it=keystore.begin(); it!=keystore.end(); it++) {
362 string creds_name = it->first;
363 vector<string> &credentials_entries = it->second;
364 map<string, AccessCredentials *>::iterator mit;
365 mit = credential_sets.find(creds_name);
366 if (mit != credential_sets.end()) {
368 accessCredentials = mit->second;
372 credential_sets.insert(pair<string, AccessCredentials *>(creds_name, accessCredentials));
374 for (vector<string>::iterator jt = credentials_entries.begin(); jt != credentials_entries.end(); jt++) {
375 string credentials_entry = *jt;
376 int index = credentials_entry.find(
":");
378 string key_name = credentials_entry.substr(0, index);
379 string value = credentials_entry.substr(index + 1);
380 BESDEBUG(CREDS, prolog << creds_name <<
":" << key_name <<
"=" << value << endl);
381 accessCredentials->
add(key_name, value);
385 BESDEBUG(CREDS, prolog <<
"Loaded " << credential_sets.size() <<
" AccessCredentials" << endl);
386 vector<AccessCredentials *> bad_creds;
387 map<string,AccessCredentials *>::iterator acit;
389 for (acit = credential_sets.begin(); acit != credential_sets.end(); acit++) {
390 accessCredentials = acit->second;
391 string url = accessCredentials->
get(AccessCredentials::URL_KEY);
393 theCM()->
add(url,accessCredentials);
396 bad_creds.push_back(acit->second);
399 if(bad_creds.size()){
401 vector<AccessCredentials * >::iterator bc;
403 ss <<
"Encountered " << bad_creds.size() <<
" AccessCredentials "
404 <<
" definitions missing an associated URL. offenders: ";
406 for (bc = bad_creds.begin(); bc != bad_creds.end(); bc++) {
407 ss << (*bc)->name() <<
" ";
408 credential_sets.erase((*bc)->name());
413 BESDEBUG(CREDS, prolog <<
"Successfully ingested " <<
theCM()->size() <<
" AccessCredentials" << endl);
430 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
433 string env_url, env_id, env_access_key, env_region, env_bucket;
438 env_id.assign( get_env_value(CredentialsManager::ENV_ID_KEY));
439 env_access_key.assign(get_env_value(CredentialsManager::ENV_ACCESS_KEY));
440 env_region.assign( get_env_value(CredentialsManager::ENV_REGION_KEY));
442 env_url.assign( get_env_value(CredentialsManager::ENV_URL_KEY));
444 if(env_url.length() &&
446 env_access_key.length() &&
448 env_region.length() ){
450 ac->
add(AccessCredentials::URL_KEY, env_url);
451 ac->
add(AccessCredentials::ID_KEY, env_id);
452 ac->
add(AccessCredentials::KEY_KEY, env_access_key);
453 ac->
add(AccessCredentials::REGION_KEY, env_region);
460 std::string NGAP_S3_BASE_DEFAULT=
"https://";
465 void CredentialsManager::load_ngap_s3_credentials( ){
468 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
470 string s3_distribution_endpoint_url;
476 long refresh_margin = 600;
479 refresh_margin = strtol(value.c_str(), 0, 10);
482 string s3_base_url = NGAP_S3_BASE_DEFAULT;
489 nsc->
add(NgapS3Credentials::URL_KEY, s3_base_url);
490 nsc->name(
"NgapS3Credentials");
497 BESDEBUG(CREDS,prolog <<
"WARNING: The BES configuration did not contain an instance of " <<
498 NgapS3Credentials::BES_CONF_S3_ENDPOINT_KEY <<
499 " NGAP S3 Credentials NOT loaded." << endl);
void add(const std::string &key, const std::string &value)
Add the key and value pair.
virtual std::string get(const std::string &key)
exception thrown if internal error encountered
void add(const std::string &url, AccessCredentials *ac)
static CredentialsManager * theMngr
AccessCredentials * get(std::shared_ptr< http::url > &url)
static CredentialsManager * theCM()
Returns the singleton instance of the CrednetialsManager.
void get_value(const std::string &s, std::string &val, bool &found)
Retrieve the value of a given key, if set.
static TheBESKeys * TheKeys()