public static bool Authenticate(HttpContext httpContext, ServerStore serverStore, string database, string remoteTask)
{
var feature = httpContext.Features.Get <IHttpAuthenticationFeature>() as RavenServer.AuthenticateConnection;
if (feature == null) // we are not using HTTPS
{
return(true);
}
switch (feature.Status)
{
case RavenServer.AuthenticationStatus.Operator:
case RavenServer.AuthenticationStatus.ClusterAdmin:
// we can trust this certificate
return(true);
case RavenServer.AuthenticationStatus.Allowed:
// check that the certificate is allowed for this database.
if (feature.CanAccess(database, requireAdmin: false))
{
return(true);
}
RequestRouter.UnlikelyFailAuthorization(httpContext, database, feature, AuthorizationStatus.RestrictedAccess);
return(false);
case RavenServer.AuthenticationStatus.UnfamiliarIssuer:
RequestRouter.UnlikelyFailAuthorization(httpContext, database, feature, AuthorizationStatus.RestrictedAccess);
return(false);
case RavenServer.AuthenticationStatus.UnfamiliarCertificate:
using (serverStore.ContextPool.AllocateOperationContext(out TransactionOperationContext context))
using (context.OpenReadTransaction())
{
if (serverStore.Cluster.TryReadPullReplicationDefinition(database, remoteTask, context, out var pullReplication))
{
var cert = httpContext.Connection.ClientCertificate;
if (pullReplication.CanAccess(cert?.Thumbprint))
{
return(true);
}
}
RequestRouter.UnlikelyFailAuthorization(httpContext, database, feature, AuthorizationStatus.RestrictedAccess);
return(false);
}
default:
throw new ArgumentException($"This is a bug, we should deal with '{feature?.Status}' authentication status at RequestRoute.TryAuthorize function.");
}
}