#pragma once #include #include #include #include #include #include #include #include #include #include #include #include #include namespace Poco { class Logger; namespace Util { class AbstractConfiguration; } } namespace DB { class SettingsChanges; class ExternalAuthenticators { public: void reset(); void setConfiguration(const Poco::Util::AbstractConfiguration & config, LoggerPtr log); // The name and readiness of the credentials must be verified before calling these. bool checkLDAPCredentials(const String & server, const BasicCredentials & credentials, const LDAPClient::RoleSearchParamsList * role_search_params = nullptr, LDAPClient::SearchResultsList * role_search_results = nullptr) const; bool checkKerberosCredentials(const String & realm, const GSSAcceptorContext & credentials) const; bool checkHTTPBasicCredentials(const String & server, const BasicCredentials & credentials, SettingsChanges & settings) const; GSSAcceptorContext::Params getKerberosParams() const; private: HTTPAuthClientParams getHTTPAuthenticationParams(const String& server) const; struct LDAPCacheEntry { UInt128 last_successful_params_hash = 0; std::chrono::steady_clock::time_point last_successful_authentication_timestamp; LDAPClient::SearchResultsList last_successful_role_search_results; }; using LDAPCache = std::unordered_map; // user name -> cache entry using LDAPCaches = std::map; // server name -> cache using LDAPParams = std::map; // server name -> params mutable std::mutex mutex; LDAPParams ldap_client_params_blueprint TSA_GUARDED_BY(mutex) ; mutable LDAPCaches ldap_caches TSA_GUARDED_BY(mutex) ; std::optional kerberos_params TSA_GUARDED_BY(mutex) ; std::unordered_map http_auth_servers TSA_GUARDED_BY(mutex) ; void resetImpl() TSA_REQUIRES(mutex); }; void parseLDAPRoleSearchParams(LDAPClient::RoleSearchParams & params, const Poco::Util::AbstractConfiguration & config, const String & prefix); }