From 7fc2d25cf25d573fb2c7bde836264ed5d5bce016 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Thu, 18 May 2017 16:16:16 +0300
Subject: [PATCH] MXS-1220: Allow new REST API users to be created

The REST API now uses the same users as MaxAdmin network interface. This
allows them to be created with MaxAdmin.

The next step is to add user creation to the REST API.
---
 .../Getting-Started/Configuration-Guide.md    | 14 +++---------
 include/maxscale/config.h                     |  2 --
 server/core/admin.cc                          | 22 ++++++++++---------
 server/core/config.cc                         | 10 ---------
 4 files changed, 15 insertions(+), 33 deletions(-)

diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md
index 976e150f4..18c5bf87b 100644
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@@ -544,17 +544,9 @@ Enable HTTP admin interface authentication using HTTP Basic Access
 authentication. This is not a secure method of authentication but it does add a
 small layer of security. This option is disabled by default.
 
-#### `admin_user`
-
-The HTTP admin interface username. This is the username which is used when
-_admin_auth_ is enabled. The default user for the HTTP admin interface is
-`admin`.
-
-#### `admin_password`
-
-The HTTP admin interface password. This is the which which is used when
-_admin_auth_ is enabled. The default password for the HTTP admin interface is
-`mariadb`.
+The admin interface authentication uses the same user as MaxAdmin network
+interface. This means that new users can be added with both MaxAdmin and the
+REST API. The default credentials for the interface are `admin:mariadb`.
 
 #### `admin_ssl_key`
 
diff --git a/include/maxscale/config.h b/include/maxscale/config.h
index d1d664121..2bb06b426 100644
--- a/include/maxscale/config.h
+++ b/include/maxscale/config.h
@@ -193,8 +193,6 @@ typedef struct
     bool          skip_permission_checks;              /**< Skip service and monitor permission checks */
     char          qc_name[PATH_MAX];                   /**< The name of the query classifier to load */
     char*         qc_args;                             /**< Arguments for the query classifier */
-    char          admin_user[MAX_ADMIN_USER_LEN];      /**< Admin interface user */
-    char          admin_password[MAX_ADMIN_PW_LEN];    /**< Admin interface password */
     char          admin_host[MAX_ADMIN_HOST_LEN];      /**< Admin interface host */
     uint16_t      admin_port;                          /**< Admin interface port */
     bool          admin_auth;                          /**< Admin interface authentication */
diff --git a/server/core/admin.cc b/server/core/admin.cc
index 2ff66894a..7b48913d8 100644
--- a/server/core/admin.cc
+++ b/server/core/admin.cc
@@ -33,6 +33,7 @@
 #include <maxscale/config.h>
 #include <maxscale/hk_heartbeat.h>
 #include <maxscale/http.hh>
+#include <maxscale/adminusers.h>
 
 #include "maxscale/resource.hh"
 
@@ -152,24 +153,25 @@ void close_client(void *cls,
 
 bool do_auth(MHD_Connection *connection)
 {
-    const char *admin_user = config_get_global_options()->admin_user;
-    const char *admin_pw = config_get_global_options()->admin_password;
     bool admin_auth = config_get_global_options()->admin_auth;
 
     char* pw = NULL;
     char* user = MHD_basic_auth_get_username_password(connection, &pw);
     bool rval = true;
 
-    if (admin_auth && (!user || !pw || strcmp(user, admin_user) || strcmp(pw, admin_pw)))
+    if (admin_auth)
     {
-        rval = false;
-        static char error_resp[] = "Access denied\r\n";
-        MHD_Response *resp =
-            MHD_create_response_from_buffer(sizeof(error_resp) - 1, error_resp,
-                                            MHD_RESPMEM_PERSISTENT);
+        if (!user || !pw || !admin_verify_inet_user(user, pw))
+        {
+            rval = false;
+            static char error_resp[] = "{\"errors\": [ { \"detail\": \"Access denied\" } ] }";
+            MHD_Response *resp =
+                MHD_create_response_from_buffer(sizeof(error_resp) - 1, error_resp,
+                                                MHD_RESPMEM_PERSISTENT);
 
-        MHD_queue_basic_auth_fail_response(connection, "maxscale", resp);
-        MHD_destroy_response(resp);
+            MHD_queue_basic_auth_fail_response(connection, "maxscale", resp);
+            MHD_destroy_response(resp);
+        }
     }
 
     return rval;
diff --git a/server/core/config.cc b/server/core/config.cc
index 6f8e444aa..16220f548 100644
--- a/server/core/config.cc
+++ b/server/core/config.cc
@@ -1524,14 +1524,6 @@ handle_global_item(const char *name, const char *value)
             MXS_FREE(v);
         }
     }
-    else if (strcmp(name, CN_ADMIN_USER) == 0)
-    {
-        strcpy(gateway.admin_user, value);
-    }
-    else if (strcmp(name, CN_ADMIN_PASSWORD) == 0)
-    {
-        strcpy(gateway.admin_password, value);
-    }
     else if (strcmp(name, CN_ADMIN_PORT) == 0)
     {
         gateway.admin_port = atoi(value);
@@ -1784,8 +1776,6 @@ global_defaults()
     gateway.admin_auth = false;
     gateway.admin_enabled = true;
     strcpy(gateway.admin_host, DEFAULT_ADMIN_HOST);
-    strcpy(gateway.admin_user, INET_DEFAULT_USERNAME);
-    strcpy(gateway.admin_password, INET_DEFAULT_PASSWORD);
     gateway.admin_ssl_key[0] = '\0';
     gateway.admin_ssl_cert[0] = '\0';
     gateway.admin_ssl_ca_cert[0] = '\0';