memgraph/src/auth/models.hpp

// Copyright 2022 Memgraph Ltd.
//
// Licensed as a Memgraph Enterprise file under the Memgraph Enterprise
// License (the "License"); by using this file, you agree to be bound by the terms of the License, and you may not use
// this file except in compliance with the License. You may obtain a copy of the License at https://memgraph.com/legal.
//
//

#pragma once

#include <optional>
#include <string>

#include <json/json.hpp>

namespace memgraph::auth {
// These permissions must have values that are applicable for usage in a
// bitmask.
// clang-format off
enum class Permission : uint64_t {
  MATCH        = 1,
  CREATE       = 1U << 1U,
  MERGE        = 1U << 2U,
  DELETE       = 1U << 3U,
  SET          = 1U << 4U,
  REMOVE       = 1U << 5U,
  INDEX        = 1U << 6U,
  STATS        = 1U << 7U,
  CONSTRAINT   = 1U << 8U,
  DUMP         = 1U << 9U,
  REPLICATION  = 1U << 10U,
  DURABILITY   = 1U << 11U,
  READ_FILE    = 1U << 12U,
  FREE_MEMORY  = 1U << 13U,
  TRIGGER      = 1U << 14U,
  CONFIG       = 1U << 15U,
  AUTH         = 1U << 16U,
  STREAM       = 1U << 17U,
  MODULE_READ  = 1U << 18U,
  MODULE_WRITE = 1U << 19U,
  WEBSOCKET    = 1U << 20U,
  SCHEMA       = 1U << 21U
};
// clang-format on

// Function that converts a permission to its string representation.
std::string PermissionToString(Permission permission);

// Class that indicates what permission level the user/role has.
enum class PermissionLevel {
  GRANT,
  NEUTRAL,
  DENY,
};

// Function that converts a permission level to its string representation.
std::string PermissionLevelToString(PermissionLevel level);

class Permissions final {
 public:
  Permissions(uint64_t grants = 0, uint64_t denies = 0);

  PermissionLevel Has(Permission permission) const;

  void Grant(Permission permission);

  void Revoke(Permission permission);

  void Deny(Permission permission);

  std::vector<Permission> GetGrants() const;

  std::vector<Permission> GetDenies() const;

  nlohmann::json Serialize() const;

  /// @throw AuthException if unable to deserialize.
  static Permissions Deserialize(const nlohmann::json &data);

  uint64_t grants() const;
  uint64_t denies() const;

 private:
  uint64_t grants_{0};
  uint64_t denies_{0};
};

bool operator==(const Permissions &first, const Permissions &second);

bool operator!=(const Permissions &first, const Permissions &second);

class Role final {
 public:
  Role(const std::string &rolename);

  Role(const std::string &rolename, const Permissions &permissions);

  const std::string &rolename() const;
  const Permissions &permissions() const;
  Permissions &permissions();

  nlohmann::json Serialize() const;

  /// @throw AuthException if unable to deserialize.
  static Role Deserialize(const nlohmann::json &data);

  friend bool operator==(const Role &first, const Role &second);

 private:
  std::string rolename_;
  Permissions permissions_;
};

bool operator==(const Role &first, const Role &second);

// TODO (mferencevic): Implement password expiry.
class User final {
 public:
  User(const std::string &username);

  User(const std::string &username, const std::string &password_hash, const Permissions &permissions);

  /// @throw AuthException if unable to verify the password.
  bool CheckPassword(const std::string &password);

  /// @throw AuthException if unable to set the password.
  void UpdatePassword(const std::optional<std::string> &password = std::nullopt);

  void SetRole(const Role &role);

  void ClearRole();

  Permissions GetPermissions() const;

  const std::string &username() const;

  const Permissions &permissions() const;
  Permissions &permissions();

  const Role *role() const;

  nlohmann::json Serialize() const;

  /// @throw AuthException if unable to deserialize.
  static User Deserialize(const nlohmann::json &data);

  friend bool operator==(const User &first, const User &second);

 private:
  std::string username_;
  std::string password_hash_;
  Permissions permissions_;
  std::optional<Role> role_;
};

bool operator==(const User &first, const User &second);
}  // namespace memgraph::auth
Procedures for handling modules (#330) 2022-02-11 18:29:41 +08:00			`// Copyright 2022 Memgraph Ltd.`
Add new memgraph licenses and move third party licenses (#248) 2021-10-03 18:07:04 +08:00			`//`
			`// Licensed as a Memgraph Enterprise file under the Memgraph Enterprise`
			`// License (the "License"); by using this file, you agree to be bound by the terms of the License, and you may not use`
			`// this file except in compliance with the License. You may obtain a copy of the License at https://memgraph.com/legal.`
			`//`
			`//`

Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`#pragma once`

Migrate to C++17 Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1974 2019-04-23 17:00:49 +08:00			`#include <optional>`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`#include <string>`

			`#include <json/json.hpp>`

Address review comments 2022-03-09 22:53:33 +08:00			`namespace memgraph::auth {`
Implement leftover Auth queries Reviewers: mtomic, buda Reviewed By: mtomic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1535 2018-08-14 17:34:00 +08:00			`// These permissions must have values that are applicable for usage in a`
			`// bitmask.`
Add LOCK DATA DIRECTORY query (#68) 2021-01-19 19:10:06 +08:00			`// clang-format off`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`enum class Permission : uint64_t {`
Procedures for handling modules (#330) 2022-02-11 18:29:41 +08:00			`MATCH = 1,`
			`CREATE = 1U << 1U,`
			`MERGE = 1U << 2U,`
			`DELETE = 1U << 3U,`
			`SET = 1U << 4U,`
			`REMOVE = 1U << 5U,`
			`INDEX = 1U << 6U,`
			`STATS = 1U << 7U,`
			`CONSTRAINT = 1U << 8U,`
			`DUMP = 1U << 9U,`
			`REPLICATION = 1U << 10U,`
			`DURABILITY = 1U << 11U,`
			`READ_FILE = 1U << 12U,`
			`FREE_MEMORY = 1U << 13U,`
			`TRIGGER = 1U << 14U,`
			`CONFIG = 1U << 15U,`
			`AUTH = 1U << 16U,`
			`STREAM = 1U << 17U,`
			`MODULE_READ = 1U << 18U,`
Add websocket authentication (#322) 2022-02-17 17:35:48 +08:00			`MODULE_WRITE = 1U << 19U,`
Create schema DDL expressions * Add initial schema implementation * Add index to schema * List schemas and enable multiple properties * Implement SchemaTypes * Apply suggestions from code review Co-authored-by: Jeremy B <97525434+42jeremy@users.noreply.github.com> Co-authored-by: János Benjamin Antal <antaljanosbenjamin@users.noreply.github.com> * Address review comments * Remove Map and List * Add schema operations in storage * Add create and show schema queries * Add privileges for schema * Add missing keywords into lexer * Add drop schema query * Add schema visitors * Update metadata * Add PrepareSchemaQuery function * Implement show schemas * Add show schema query * Fix schema visitor * Add common schema type * Fix grammar * Temporary create ddl logic * Fix naming for schemaproperty type to schema type * Rename schemaproperty to schemapropertytype * Enable Create schema ddl * Override visitPropertyType * Add initial schema implementation * Add initial schema implementation * Add index to schema * List schemas and enable multiple properties * Implement SchemaTypes * Apply suggestions from code review Co-authored-by: Jeremy B <97525434+42jeremy@users.noreply.github.com> Co-authored-by: János Benjamin Antal <antaljanosbenjamin@users.noreply.github.com> * Address review comments * Remove Map and List * Apply suggestions from code review Co-authored-by: Kostas Kyrimis <kostaskyrim@gmail.com> Co-authored-by: Jeremy B <97525434+42jeremy@users.noreply.github.com> Co-authored-by: János Benjamin Antal <antaljanosbenjamin@users.noreply.github.com> Co-authored-by: Kostas Kyrimis <kostaskyrim@gmail.com> * Add verification on creation and deletion * Rename DeleteSchema to DropSchema * Remove list and map from lexer * Fix grammar with schemaTypeMap * Add privilege and cypher visitor tests * Catch repeating type name in schema definition * Fix conflicting keywords * Add notifications * Drop float support * Finish interpreter tests * Fix tests * Fix clang tidy errors * Fix GetSchema * Replace for with transfrom * Add cloning og schema_property_map * Address review comments * Rename SchemaPropertyType to SchemaType * Remove inline * Assert of schema properties Co-authored-by: Jeremy B <97525434+42jeremy@users.noreply.github.com> Co-authored-by: János Benjamin Antal <antaljanosbenjamin@users.noreply.github.com> Co-authored-by: Kostas Kyrimis <kostaskyrim@gmail.com> 2022-07-11 15:20:15 +08:00			`WEBSOCKET = 1U << 20U,`
			`SCHEMA = 1U << 21U`
Implement leftover Auth queries Reviewers: mtomic, buda Reviewed By: mtomic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1535 2018-08-14 17:34:00 +08:00			`};`
Add LOCK DATA DIRECTORY query (#68) 2021-01-19 19:10:06 +08:00			`// clang-format on`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00
Implement leftover Auth queries Reviewers: mtomic, buda Reviewed By: mtomic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1535 2018-08-14 17:34:00 +08:00			`// Function that converts a permission to its string representation.`
			`std::string PermissionToString(Permission permission);`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00
Implement leftover Auth queries Reviewers: mtomic, buda Reviewed By: mtomic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1535 2018-08-14 17:34:00 +08:00			`// Class that indicates what permission level the user/role has.`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`enum class PermissionLevel {`
Implement leftover Auth queries Reviewers: mtomic, buda Reviewed By: mtomic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1535 2018-08-14 17:34:00 +08:00			`GRANT,`
			`NEUTRAL,`
			`DENY,`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`};`

Integrate auth checks into query execution Reviewers: mtomic, teon.banek Reviewed By: mtomic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1544 2018-08-22 16:59:46 +08:00			`// Function that converts a permission level to its string representation.`
			`std::string PermissionLevelToString(PermissionLevel level);`

Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`class Permissions final {`
			`public:`
			`Permissions(uint64_t grants = 0, uint64_t denies = 0);`

			`PermissionLevel Has(Permission permission) const;`

			`void Grant(Permission permission);`

			`void Revoke(Permission permission);`

			`void Deny(Permission permission);`

Implement leftover Auth queries Reviewers: mtomic, buda Reviewed By: mtomic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1535 2018-08-14 17:34:00 +08:00			`std::vector<Permission> GetGrants() const;`

			`std::vector<Permission> GetDenies() const;`

Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`nlohmann::json Serialize() const;`

Document throwing methods in Auth, User and Role classes Reviewers: mferencevic Reviewed By: mferencevic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D2622 2020-01-15 20:57:58 +08:00			`/// @throw AuthException if unable to deserialize.`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`static Permissions Deserialize(const nlohmann::json &data);`

			`uint64_t grants() const;`
			`uint64_t denies() const;`

			`private:`
			`uint64_t grants_{0};`
			`uint64_t denies_{0};`
			`};`

			`bool operator==(const Permissions &first, const Permissions &second);`

			`bool operator!=(const Permissions &first, const Permissions &second);`

			`class Role final {`
			`public:`
			`Role(const std::string &rolename);`

			`Role(const std::string &rolename, const Permissions &permissions);`

			`const std::string &rolename() const;`
			`const Permissions &permissions() const;`
			`Permissions &permissions();`

			`nlohmann::json Serialize() const;`

Document throwing methods in Auth, User and Role classes Reviewers: mferencevic Reviewed By: mferencevic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D2622 2020-01-15 20:57:58 +08:00			`/// @throw AuthException if unable to deserialize.`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`static Role Deserialize(const nlohmann::json &data);`

			`friend bool operator==(const Role &first, const Role &second);`

			`private:`
			`std::string rolename_;`
			`Permissions permissions_;`
			`};`

			`bool operator==(const Role &first, const Role &second);`

			`// TODO (mferencevic): Implement password expiry.`
			`class User final {`
			`public:`
			`User(const std::string &username);`

Format all the memgraph and test source files (#97) 2021-02-18 22:32:43 +08:00			`User(const std::string &username, const std::string &password_hash, const Permissions &permissions);`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00
Document throwing methods in Auth, User and Role classes Reviewers: mferencevic Reviewed By: mferencevic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D2622 2020-01-15 20:57:58 +08:00			`/// @throw AuthException if unable to verify the password.`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`bool CheckPassword(const std::string &password);`

Document throwing methods in Auth, User and Role classes Reviewers: mferencevic Reviewed By: mferencevic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D2622 2020-01-15 20:57:58 +08:00			`/// @throw AuthException if unable to set the password.`
Format all the memgraph and test source files (#97) 2021-02-18 22:32:43 +08:00			`void UpdatePassword(const std::optional<std::string> &password = std::nullopt);`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00
			`void SetRole(const Role &role);`

Implement leftover Auth queries Reviewers: mtomic, buda Reviewed By: mtomic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1535 2018-08-14 17:34:00 +08:00			`void ClearRole();`

Add privilege check in triggers and streams (#200) 2021-07-22 22:22:08 +08:00			`Permissions GetPermissions() const;`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00
			`const std::string &username() const;`

Integrate auth checks into query execution Reviewers: mtomic, teon.banek Reviewed By: mtomic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1544 2018-08-22 16:59:46 +08:00			`const Permissions &permissions() const;`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`Permissions &permissions();`

Add privilege check in triggers and streams (#200) 2021-07-22 22:22:08 +08:00			`const Role *role() const;`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00
			`nlohmann::json Serialize() const;`

Document throwing methods in Auth, User and Role classes Reviewers: mferencevic Reviewed By: mferencevic Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D2622 2020-01-15 20:57:58 +08:00			`/// @throw AuthException if unable to deserialize.`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`static User Deserialize(const nlohmann::json &data);`

			`friend bool operator==(const User &first, const User &second);`

			`private:`
			`std::string username_;`
			`std::string password_hash_;`
			`Permissions permissions_;`
Migrate to C++17 Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: pullbot Differential Revision: https://phabricator.memgraph.io/D1974 2019-04-23 17:00:49 +08:00			`std::optional<Role> role_;`
Initial implementation of authentication Reviewers: teon.banek, buda Reviewed By: teon.banek Subscribers: mtomic, pullbot Differential Revision: https://phabricator.memgraph.io/D1488 2018-07-27 16:54:20 +08:00			`};`

			`bool operator==(const User &first, const User &second);`
Address review comments 2022-03-09 22:53:33 +08:00			`} // namespace memgraph::auth`