36#include "AllowedHosts.h"
37#include "TheBESKeys.h"
39#include "BESInternalError.h"
44#include "CredentialsManager.h"
45#include "NgapS3Credentials.h"
46#include "DmrppNames.h"
50#define prolog std::string("CredentialsManager::").append(__func__).append("() - ")
53const char *CredentialsManager::ENV_ID_KEY =
"CMAC_ID";
54const char *CredentialsManager::ENV_ACCESS_KEY =
"CMAC_ACCESS_KEY";
55const char *CredentialsManager::ENV_REGION_KEY =
"CMAC_REGION";
56const char *CredentialsManager::ENV_BUCKET_KEY =
"CMAC_BUCKET";
57const char *CredentialsManager::ENV_URL_KEY =
"CMAC_URL";
59const char *CredentialsManager::USE_ENV_CREDS_KEY_VALUE =
"ENV_CREDS";
69static std::once_flag d_cmac_init_once;
84std::string get_env_value(
const string &key){
86 const char *cstr = getenv(key.c_str());
89 BESDEBUG(CREDS, prolog <<
"From system environment - " << key <<
": " << value << endl);
108 std::call_once(d_cmac_init_once,CredentialsManager::initialize_instance);
112void CredentialsManager::initialize_instance()
116 atexit(delete_instance);
124CredentialsManager::CredentialsManager(): ngaps3CredentialsLoaded(false){
133 for (std::map<std::string, AccessCredentials *>::iterator it = creds.begin(); it != creds.end(); ++it) {
143void CredentialsManager::delete_instance()
159 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
161 creds.insert(std::pair<std::string,AccessCredentials *>(key, ac));
162 BESDEBUG(CREDS, prolog <<
"Added AccessCredentials to CredentialsManager. credentials: " << endl << ac->to_json() << endl);
175 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
178 std::string best_key(
"");
180 if(url->protocol() == HTTP_PROTOCOL || url->protocol() == HTTPS_PROTOCOL) {
181 for (std::map<std::string, AccessCredentials *>::iterator it = creds.begin(); it != creds.end(); ++it) {
182 std::string key = it->first;
183 if (url->str().rfind(key, 0) == 0) {
185 if (key.length() > best_key.length()) {
187 best_match = it->second;
200bool file_exists(
const string &filename) {
202 return (stat (filename.c_str(), &buffer) == 0);
225bool file_is_secured(
const string &filename) {
227 if (stat(filename.c_str(), &st) != 0) {
229 err.append(
"file_is_secured() Unable to access file ");
230 err.append(filename).append(
" strerror: ").append(strerror(errno));
234 mode_t perm = st.st_mode;
236 status = (perm & S_IRUSR) && !(
245 BESDEBUG(CREDS, prolog <<
"file_is_secured() " << filename <<
" secured: " << (status ?
"true" :
"false") << endl);
283 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
285 bool found_key =
true;
287 map<string, AccessCredentials *> credential_sets;
292 BESDEBUG(CREDS, prolog <<
"The BES key " << CATALOG_MANAGER_CREDENTIALS
293 <<
" was not found in the BES configuration tree. No AccessCredentials were loaded" << endl);
298 if(config_file ==
string(CredentialsManager::USE_ENV_CREDS_KEY_VALUE)){
300 accessCredentials =
theCM()->load_credentials_from_env();
301 if(accessCredentials){
303 string url = accessCredentials->
get(AccessCredentials::URL_KEY);
304 theCM()->
add(url,accessCredentials);
313 load_ngap_s3_credentials();
315 if(!file_exists(config_file)){
316 BESDEBUG(CREDS, prolog <<
"The file specified by the BES key " << CATALOG_MANAGER_CREDENTIALS
317 <<
" does not exist. No Access Credentials were loaded." << endl);
321 if (!file_is_secured(config_file)) {
323 err.append(
"CredentialsManager config file ");
324 err.append(config_file);
325 err.append(
" is not secured! ");
326 err.append(
"Set the access permissions to -rw------- (600) and try again.");
329 BESDEBUG(CREDS, prolog <<
"The config file '" << config_file <<
"' is secured." << endl);
331 map <string, vector<string>> keystore;
333 kvp::load_keys(config_file, keystore);
335 for(map <
string, vector<string>>::iterator it=keystore.begin(); it!=keystore.end(); it++) {
336 string creds_name = it->first;
337 vector<string> &credentials_entries = it->second;
338 map<string, AccessCredentials *>::iterator mit;
339 mit = credential_sets.find(creds_name);
340 if (mit != credential_sets.end()) {
342 accessCredentials = mit->second;
346 credential_sets.insert(pair<string, AccessCredentials *>(creds_name, accessCredentials));
348 for (vector<string>::iterator jt = credentials_entries.begin(); jt != credentials_entries.end(); jt++) {
349 string credentials_entry = *jt;
350 int index = credentials_entry.find(
":");
352 string key_name = credentials_entry.substr(0, index);
353 string value = credentials_entry.substr(index + 1);
354 BESDEBUG(CREDS, prolog << creds_name <<
":" << key_name <<
"=" << value << endl);
355 accessCredentials->
add(key_name, value);
359 BESDEBUG(CREDS, prolog <<
"Loaded " << credential_sets.size() <<
" AccessCredentials" << endl);
360 vector<AccessCredentials *> bad_creds;
361 map<string,AccessCredentials *>::iterator acit;
363 for (acit = credential_sets.begin(); acit != credential_sets.end(); acit++) {
364 accessCredentials = acit->second;
365 string url = accessCredentials->
get(AccessCredentials::URL_KEY);
367 theCM()->
add(url,accessCredentials);
370 bad_creds.push_back(acit->second);
373 if(bad_creds.size()){
375 vector<AccessCredentials * >::iterator bc;
377 ss <<
"Encountered " << bad_creds.size() <<
" AccessCredentials "
378 <<
" definitions missing an associated URL. offenders: ";
380 for (bc = bad_creds.begin(); bc != bad_creds.end(); bc++) {
381 ss << (*bc)->name() <<
" ";
382 credential_sets.erase((*bc)->name());
387 BESDEBUG(CREDS, prolog <<
"Successfully ingested " <<
theCM()->size() <<
" AccessCredentials" << endl);
404 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
407 string env_url, env_id, env_access_key, env_region, env_bucket;
412 env_id.assign( get_env_value(CredentialsManager::ENV_ID_KEY));
413 env_access_key.assign(get_env_value(CredentialsManager::ENV_ACCESS_KEY));
414 env_region.assign( get_env_value(CredentialsManager::ENV_REGION_KEY));
416 env_url.assign( get_env_value(CredentialsManager::ENV_URL_KEY));
418 if(env_url.length() &&
420 env_access_key.length() &&
422 env_region.length() ){
424 ac->
add(AccessCredentials::URL_KEY, env_url);
425 ac->
add(AccessCredentials::ID_KEY, env_id);
426 ac->
add(AccessCredentials::KEY_KEY, env_access_key);
427 ac->
add(AccessCredentials::REGION_KEY, env_region);
434std::string NGAP_S3_BASE_DEFAULT=
"https://";
439void CredentialsManager::load_ngap_s3_credentials( ){
442 std::lock_guard<std::recursive_mutex> lock_me(d_lock_mutex);
444 string s3_distribution_endpoint_url;
450 long refresh_margin = 600;
453 refresh_margin = strtol(value.c_str(), 0, 10);
456 string s3_base_url = NGAP_S3_BASE_DEFAULT;
463 nsc->
add(NgapS3Credentials::URL_KEY, s3_base_url);
464 nsc->name(
"NgapS3Credentials");
471 BESDEBUG(CREDS,prolog <<
"WARNING: The BES configuration did not contain an instance of " <<
472 NgapS3Credentials::BES_CONF_S3_ENDPOINT_KEY <<
473 " NGAP S3 Credentials NOT loaded." << endl);
void add(const std::string &key, const std::string &value)
Add the key and value pair.
virtual std::string get(const std::string &key)
exception thrown if internal error encountered
void add(const std::string &url, AccessCredentials *ac)
static CredentialsManager * theMngr
AccessCredentials * get(std::shared_ptr< http::url > &url)
static CredentialsManager * theCM()
Returns the singleton instance of the CrednetialsManager.
void get_value(const std::string &s, std::string &val, bool &found)
Retrieve the value of a given key, if set.
static TheBESKeys * TheKeys()