ceph/src/arrow/cpp/src/arrow/flight/server_auth.h

   1 // Licensed to the Apache Software Foundation (ASF) under one
   2 // or more contributor license agreements.  See the NOTICE file
   3 // distributed with this work for additional information
   4 // regarding copyright ownership.  The ASF licenses this file
   5 // to you under the Apache License, Version 2.0 (the
   6 // "License"); you may not use this file except in compliance
   7 // with the License.  You may obtain a copy of the License at
   8 //
   9 //   http://www.apache.org/licenses/LICENSE-2.0
  10 //
  11 // Unless required by applicable law or agreed to in writing,
  12 // software distributed under the License is distributed on an
  13 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  14 // KIND, either express or implied.  See the License for the
  15 // specific language governing permissions and limitations
  16 // under the License.
  17
  18 /// \brief Server-side APIs to implement authentication for Flight.
  19
  20 #pragma once
  21
  22 #include <string>
  23
  24 #include "arrow/flight/visibility.h"
  25 #include "arrow/status.h"
  26
  27 namespace arrow {
  28
  29 namespace flight {
  30
  31 /// \brief A reader for messages from the client during an
  32 /// authentication handshake.
  33 class ARROW_FLIGHT_EXPORT ServerAuthReader {
  34  public:
  35   virtual ~ServerAuthReader() = default;
  36   virtual Status Read(std::string* token) = 0;
  37 };
  38
  39 /// \brief A writer for messages to the client during an
  40 /// authentication handshake.
  41 class ARROW_FLIGHT_EXPORT ServerAuthSender {
  42  public:
  43   virtual ~ServerAuthSender() = default;
  44   virtual Status Write(const std::string& message) = 0;
  45 };
  46
  47 /// \brief An authentication implementation for a Flight service.
  48 /// Authentication includes both an initial negotiation and a per-call
  49 /// token validation. Implementations may choose to use either or both
  50 /// mechanisms.
  51 /// An implementation may need to track some state, e.g. a mapping of
  52 /// client tokens to authenticated identities.
  53 class ARROW_FLIGHT_EXPORT ServerAuthHandler {
  54  public:
  55   virtual ~ServerAuthHandler();
  56   /// \brief Authenticate the client on initial connection. The server
  57   /// can send and read responses from the client at any time.
  58   virtual Status Authenticate(ServerAuthSender* outgoing, ServerAuthReader* incoming) = 0;
  59   /// \brief Validate a per-call client token.
  60   /// \param[in] token The client token. May be the empty string if
  61   /// the client does not provide a token.
  62   /// \param[out] peer_identity The identity of the peer, if this
  63   /// authentication method supports it.
  64   /// \return Status OK if the token is valid, any other status if
  65   /// validation failed
  66   virtual Status IsValid(const std::string& token, std::string* peer_identity) = 0;
  67 };
  68
  69 /// \brief An authentication mechanism that does nothing.
  70 class ARROW_FLIGHT_EXPORT NoOpAuthHandler : public ServerAuthHandler {
  71  public:
  72   ~NoOpAuthHandler() override;
  73   Status Authenticate(ServerAuthSender* outgoing, ServerAuthReader* incoming) override;
  74   Status IsValid(const std::string& token, std::string* peer_identity) override;
  75 };
  76
  77 }  // namespace flight
  78 }  // namespace arrow