# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
Handles loading of AuthProvider for CQLSH authentication.
"""
import configparser
import sys
from importlib import import_module
from cqlshlib.util import is_file_secure
def _warn_for_plain_text_security(config_file, provider_settings):
"""
Call when using PlainTextAuthProvider
check to see if password appears in the basic provider settings
as this is a security risk
Will write errors to stderr
"""
if 'password' in provider_settings:
if not is_file_secure(config_file):
print("""\nWarning: Password is found in an insecure cqlshrc file.
The file is owned or readable by other users on the system.""",
end='',
file=sys.stderr)
print("""\nNotice: Credentials in the cqlshrc file is deprecated and
will be ignored in the future.\n
Please use a credentials file to
specify the username and password.\n""",
file=sys.stderr)
def load_auth_provider(config_file=None, cred_file=None, username=None, password=None):
"""
Function which loads an auth provider from available config.
Params:
* config_file ..: path to cqlsh config file (usually ~/.cassandra/cqlshrc).
* cred_file ....: path to cqlsh credentials file (default is ~/.cassandra/credentials).
* username .....: override used to return PlainTextAuthProvider according to legacy case
* password .....: override used to return PlainTextAuthProvider according to legacy case
Will attempt to load an auth provider from available config file, using what's found in
credentials file as an override.
Config file is expected to list module name /class in the *auth_provider*
section for dynamic loading (which is to be of type auth_provider)
Additional params passed to the constructor of class should be specified
in the *auth_provider* section and can be freely named to match
auth provider's expectation.
If passed username and password these will be overridden and passed to auth provider
None is returned if no possible auth provider is found, and no username/password can be
returned. If a username is found, system will assume that PlainTextAuthProvider was
specified
EXAMPLE CQLSHRC:
# .. inside cqlshrc file
[auth_provider]
module = cassandra.auth
classname = PlainTextAuthProvider
username = user1
password = password1
if credentials file is specified put relevant properties under the class name
EXAMPLE
# ... inside credentials file for above example
[PlainTextAuthProvider]
password = password2
Credential attributes will override found in the cqlshrc.
in the above example, PlainTextAuthProvider would be used with a password of 'password2',
and username of 'user1'
"""
def get_settings_from_config(section_name,
conf_file,
interpolation=configparser.BasicInterpolation()):
"""
Returns dict from section_name, and ini based conf_file
* section_name ..: Section to read map of properties from (ex: [auth_provider])
* conf_file .....: Ini based config file to read. Will return empty dict if None.
* interpolation .: Interpolation to use.
If section is not found, or conf_file is None, function will return an empty dictionary.
"""
conf = configparser.ConfigParser(interpolation=interpolation)
if conf_file is None:
return {}
conf.read(conf_file)
if section_name in conf.sections():
return dict(conf.items(section_name))
return {}
def get_cred_file_settings(classname, creds_file):
# Since this is the credentials file we may be encountering raw strings
# as these are what passwords, or security tokens may inadvertently fall into
# we don't want interpolation to mess with them.
return get_settings_from_config(
section_name=classname,
conf_file=creds_file,
interpolation=None)
def get_auth_provider_settings(conf_file):
return get_settings_from_config(
section_name='auth_provider',
conf_file=conf_file)
def get_legacy_settings(legacy_username, legacy_password):
result = {}
if legacy_username is not None:
result['username'] = legacy_username
if legacy_password is not None:
result['password'] = legacy_password
return result
provider_settings = get_auth_provider_settings(config_file)
module_name = provider_settings.pop('module', None)
class_name = provider_settings.pop('classname', None)
if module_name is None and class_name is None:
# not specified, default to plaintext auth provider
module_name = 'cassandra.auth'
class_name = 'PlainTextAuthProvider'
elif module_name is None or class_name is None:
# then this was PARTIALLY specified.
return None
credential_settings = get_cred_file_settings(class_name, cred_file)
if module_name == 'cassandra.auth' and class_name == 'PlainTextAuthProvider':
# merge credential settings as overrides on top of provider settings.
# we need to ensure that password property gets "set" in all cases.
# this is to support the ability to give the user a prompt in other parts
# of the code.
_warn_for_plain_text_security(config_file, provider_settings)
ctor_args = {'password': None,
**provider_settings,
**credential_settings,
**get_legacy_settings(username, password)}
# if no username, we can't create PlainTextAuthProvider
if 'username' not in ctor_args:
return None
else:
# merge credential settings as overrides on top of provider settings.
ctor_args = {**provider_settings,
**credential_settings,
**get_legacy_settings(username, password)}
# Load class definitions
module = import_module(module_name)
auth_provider_klass = getattr(module, class_name)
# instantiate the class
return auth_provider_klass(**ctor_args)