that is the WIP for the auth branch

api/libsphinxclient/sphinxclient.h

@@ -255,6 +255,7 @@ sphinx_keyword_info *		sphinx_build_keywords			( sphinx_client * client, const c
 char **						sphinx_status					( sphinx_client * client, int * num_rows, int * num_cols );
 char **						sphinx_status_extended			( sphinx_client * client, int * num_rows, int * num_cols, int local );
 void						sphinx_status_destroy			( char ** status, int num_rows, int num_cols );
+sphinx_bool					sphinx_set_user					( sphinx_client * client, const char * user, const char * password );
 
 /////////////////////////////////////////////////////////////////////////////
 

api/libsphinxclient/test.c

@@ -155,10 +155,11 @@ void test_excerpt ( sphinx_client * client )
 		g_failed += ( res==NULL );
 		if ( !g_smoke )
 			die ( "query failed: %s", sphinx_error(client) );
+	} else
+	{
+		for ( i=0; i<ndocs; i++ )
+			printf ( "n=%d, res=%s\n", 1+i, res[i] );
 	}
-
-	for ( i=0; i<ndocs; i++ )
-		printf ( "n=%d, res=%s\n", 1+i, res[i] );
 }
 
 
@@ -205,11 +206,18 @@ void test_excerpt_spz ( sphinx_client * client )
 
 		res = sphinx_build_excerpts ( client, ndocs, (const char **)docs, index, words, &opts );
 		if ( !res )
-			die ( "query failed: %s", sphinx_error(client) );
+		{
+			if ( !g_smoke )
+				die ( "query failed: %s", sphinx_error(client) );
+			else
+				printf ( "query failed: %s", sphinx_error(client) );
 
-		for ( i=0; i<ndocs; i++ )
-			printf ( "n=%d, res=%s\n", 1+i, res[i] );
-		printf ( "\n" );
+		} else
+		{
+			for ( i=0; i<ndocs; i++ )
+				printf ( "n=%d, res=%s\n", 1+i, res[i] );
+			printf ( "\n" );
+		}
 	}
 }
 
@@ -426,17 +434,32 @@ void title ( const char * name )
 
 int main ( int argc, char ** argv )
 {
-	int i, port = 0;
+	int i, port = 9312;
 	sphinx_client * client;
 //	sphinx_uint64_t override_docid = 2;
 //	unsigned int override_value = 2000;
+	const char * user = NULL;
+	const char * password = NULL;
 
 	for ( i=1; i<argc; i++ )
 	{
 		if ( strcmp ( argv[i], "--smoke" )==0 )
 			g_smoke = SPH_TRUE;
 		else if ( strcmp ( argv[i], "--port" )==0 && i+1<argc )
+		{
 			port = (int)strtoul ( argv[i+1], NULL, 10 );
+			i++;
+		}
+		else if ( strcmp ( argv[i], "--user" )==0 && i+1<argc )
+		{
+			user = argv[i+1];
+			i++;
+		}
+		else if ( strcmp ( argv[i], "--password" )==0 && i+1<argc )
+		{
+			password = argv[i+1];
+			i++;
+		}
 	}
 
 	net_init ();
@@ -447,6 +470,8 @@ int main ( int argc, char ** argv )
 
 	if ( port )
 		sphinx_set_server ( client, "127.0.0.1", port );
+	if ( user )
+		sphinx_set_user ( client, user, password );
 
 	sphinx_set_match_mode ( client, SPH_MATCH_EXTENDED2 );
 	sphinx_set_sort_mode ( client, SPH_SORT_RELEVANCE, NULL );
@@ -495,6 +520,8 @@ int main ( int argc, char ** argv )
 	test_query ( client, "is", "test1" );
 
 	sphinx_cleanup ( client );
+	if ( user )
+		sphinx_set_user ( client, user, password );
 
 	// group_by (attr; mva) + filter + post update
 	title ( "group_by (attr; mva) +  filter + post update" );

api/sphinxapi.php

@@ -121,6 +121,12 @@
 define ( "SPH_UPDATE_STRING",		2 );
 define ( "SPH_UPDATE_JSON",			3 );
 
+/// known auth types
+define ( "AUTH_NO",     1 );
+define ( "AUTH_SHA1",   2 );
+define ( "AUTH_SHA256", 3 );
+
+
 // important properties of PHP's integers:
 //  - always signed (one bit short of PHP_INT_SIZE)
 //  - conversion from string to int is saturated
@@ -459,6 +465,9 @@ class SphinxClient
 	var $_token_filter_library; ///< token_filter plugin library name
 	var $_token_filter_name; ///< token_filter plugin name
 	var $_token_filter_opts; ///< token_filter plugin options
+
+	var $user;          ///< user name
+	var $user_token;    ///< user hashed password
 
 	var $_error;		///< last error message
 	var $_warning;		///< last warning message
@@ -528,6 +537,9 @@ function __construct ()
 		$this->_mbenc		= "";
 		$this->_arrayresult	= false;
 		$this->_timeout		= 0;
+
+		$this->user = '';
+		$this->user_token = '';
 	}
 
 	function __destruct()
@@ -584,8 +596,18 @@ function SetConnectTimeout ( $timeout )
 	}
 
 
-	function _Send ( $handle, $data, $length )
+	function _Send ( $handle, $data, $length, $add_auth )
 	{
+		if ( $add_auth )
+		{
+			// auth data head
+			$auth_head = $this->GetUserData();
+			$length += strlen ( $auth_head );
+
+			$auth_head .= $data;
+			$data = $auth_head;
+		}
+
 		if ( feof($handle) || fwrite ( $handle, $data, $length ) !== $length )
 		{
 			$this->_error = 'connection unexpectedly closed (timed out?)';
@@ -666,7 +688,7 @@ function _Connect ()
 		// this is a subtle part. we must do it before (!) reading back from searchd.
 		// because otherwise under some conditions (reported on FreeBSD for instance)
 		// TCP stack could throttle write-write-read pattern because of Nagle.
-		if ( !$this->_Send ( $fp, pack ( "N", 1 ), 4 ) )
+		if ( !$this->_Send ( $fp, pack ( "N", 2 ), 4, false ) )
 		{
 			fclose ( $fp );
 			$this->_error = "failed to send client protocol version";
@@ -1294,7 +1316,7 @@ function RunQueries ()
 		$len = 8+strlen($req);
 		$req = pack ( "nnNNN", SEARCHD_COMMAND_SEARCH, VER_COMMAND_SEARCH, $len, 0, $nreqs ) . $req; // add header
 
-		if ( !( $this->_Send ( $fp, $req, $len+8 ) ) ||
+		if ( !( $this->_Send ( $fp, $req, $len+8, true ) ) ||
 			 !( $response = $this->_GetResponse ( $fp, VER_COMMAND_SEARCH ) ) )
 		{
 			$this->_MBPop ();
@@ -1577,7 +1599,7 @@ function BuildExcerpts ( $docs, $index, $words, $opts=array() )
 
 		$len = strlen($req);
 		$req = pack ( "nnN", SEARCHD_COMMAND_EXCERPT, VER_COMMAND_EXCERPT, $len ) . $req; // add header
-		if ( !( $this->_Send ( $fp, $req, $len+8 ) ) ||
+		if ( !( $this->_Send ( $fp, $req, $len+8, true ) ) ||
 			 !( $response = $this->_GetResponse ( $fp, VER_COMMAND_EXCERPT ) ) )
 		{
 			$this->_MBPop ();
@@ -1647,7 +1669,7 @@ function BuildKeywords ( $query, $index, $hits )
 
 		$len = strlen($req);
 		$req = pack ( "nnN", SEARCHD_COMMAND_KEYWORDS, VER_COMMAND_KEYWORDS, $len ) . $req; // add header
-		if ( !( $this->_Send ( $fp, $req, $len+8 ) ) ||
+		if ( !( $this->_Send ( $fp, $req, $len+8, true ) ) ||
 			 !( $response = $this->_GetResponse ( $fp, VER_COMMAND_KEYWORDS ) ) )
 		{
 			$this->_MBPop ();
@@ -1781,7 +1803,7 @@ function UpdateAttributes ( $index, $attrs, $values, $type=SPH_UPDATE_INT, $igno
 
 		$len = strlen($req);
 		$req = pack ( "nnN", SEARCHD_COMMAND_UPDATE, VER_COMMAND_UPDATE, $len ) . $req; // add header
-		if ( !$this->_Send ( $fp, $req, $len+8 ) )
+		if ( !$this->_Send ( $fp, $req, $len+8, true ) )
 		{
 			$this->_MBPop ();
 			return -1;
@@ -1815,7 +1837,7 @@ function Open()
 
 		// command, command version = 0, body length = 4, body = 1
 		$req = pack ( "nnNN", SEARCHD_COMMAND_PERSIST, 0, 4, 1 );
-		if ( !$this->_Send ( $fp, $req, 12 ) )
+		if ( !$this->_Send ( $fp, $req, 12, true ) )
 			return false;
 
 		$this->_socket = $fp;
@@ -1852,7 +1874,7 @@ function Status ($session=false)
 		}
 
 		$req = pack ( "nnNN", SEARCHD_COMMAND_STATUS, VER_COMMAND_STATUS, 4, $session?0:1 ); // len=4, body=1
-		if ( !( $this->_Send ( $fp, $req, 12 ) ) ||
+		if ( !( $this->_Send ( $fp, $req, 12, true ) ) ||
 			 !( $response = $this->_GetResponse ( $fp, VER_COMMAND_STATUS ) ) )
 		{
 			$this->_MBPop ();
@@ -1888,7 +1910,7 @@ function FlushAttributes ()
 		}
 
 		$req = pack ( "nnN", SEARCHD_COMMAND_FLUSHATTRS, VER_COMMAND_FLUSHATTRS, 0 ); // len=0
-		if ( !( $this->_Send ( $fp, $req, 8 ) ) ||
+		if ( !( $this->_Send ( $fp, $req, 8, true ) ) ||
 			 !( $response = $this->_GetResponse ( $fp, VER_COMMAND_FLUSHATTRS ) ) )
 		{
 			$this->_MBPop ();
@@ -1904,6 +1926,35 @@ function FlushAttributes ()
 		$this->_MBPop ();
 		return $tag;
 	}
+
+	//////////////////////////////////////////////////////////////////////////
+	// user
+	//////////////////////////////////////////////////////////////////////////
+
+	function SetUser ($user, $password)
+	{
+		$this->user = $user;
+
+		$password_hash = hash ( "sha256", $password, true );
+		$pwd_hash = hash ( "sha256", $user . $password_hash, true );
+		$this->user_token = $pwd_hash;
+	}
+
+	function GetUserData ()
+	{
+		$data = '';
+		if ( $this->user=='' )
+		{
+			$data .= pack ( "C", AUTH_NO );
+		} else
+		{
+			$data .= pack ( "C", AUTH_SHA256 );
+			$data .= $this->user_token;
+		}
+
+		return $data;
+	}
+
 }
 
 //

manual/References.md

@@ -604,7 +604,7 @@ spelldump [options] <dictionary> <affix> [result] [locale-name]
 A comprehensive alphabetical list of keywords currently reserved in Manticore SQL syntax (thus, they cannot be used as identifiers).
 
 ```
-AND, AS, BY, COLUMNARSCAN, DISTINCT, DIV, DOCIDINDEX, EXPLAIN, FACET, FALSE, FORCE, FROM, IGNORE, IN, INDEXES, INNER, IS, JOIN, KNN, LEFT, LIMIT, MOD, NOT, NO_COLUMNARSCAN, NO_DOCIDINDEX, NO_SECONDARYINDEX, NULL, OFFSET, ON, OR, ORDER, RELOAD, SECONDARYINDEX, SELECT, SYSFILTERS, TRUE
+AND, AS, BY, COLUMNARSCAN, DISTINCT, DIV, DOCIDINDEX, EXPLAIN, FACET, FALSE, FORCE, FROM, IGNORE, IN, INDEXES, INNER, IS, JOIN, KNN, LEFT, LIMIT, MOD, NOT, NO_COLUMNARSCAN, NO_DOCIDINDEX, NO_SECONDARYINDEX, NULL, OFFSET, ON, OR, ORDER, RELOAD, SECONDARYINDEX, SELECT, SYSFILTERS, TOKEN, TRUE
 ```
 
 ## Documentation for old Manticore versions

src/CMakeLists.txt

@@ -174,7 +174,8 @@ set ( SEARCHD_H searchdaemon.h searchdconfig.h searchdddl.h searchdexpr.h search
 		compressed_zlib_mysql.h sphinxql_debug.h stackmock.h searchdssl.h digest_sha1.h
 		client_session.h compressed_zstd_mysql.h docs_collector.h index_rotator.h config_reloader.h searchdhttp.h timeout_queue.h
 		netpoll.h pollable_event.h netfetch.h searchdbuddy.h sphinxql_second.h sphinxql_extra.h sphinxjsonquery.h
-		frontendschema.h debug_cmds.h dynamic_idx.h sphinxexcerpt.h)
+		frontendschema.h debug_cmds.h dynamic_idx.h sphinxexcerpt.h
+		auth/auth.h auth/auth_common.h auth/auth_proto_http.h auth/auth_proto_mysql.h auth/auth_proto_api.h digest_sha256.h auth/auth_perms.h)
 
 
 # add the extra targets in the case we want on-the-fly grammar compiler
@@ -255,11 +256,15 @@ add_library ( lsearchd OBJECT searchdha.cpp http/http_parser.c searchdhttp.cpp
 		netreceive_http.cpp netreceive_ql.cpp query_status.cpp
 		sphinxql_debug.cpp sphinxql_second.cpp stackmock.cpp docs_collector.cpp index_rotator.cpp config_reloader.cpp netpoll.cpp
 		pollable_event.cpp netfetch.cpp searchdbuddy.cpp searchdhttpcompat.cpp sphinxql_extra.cpp searchdreplication.cpp sphinxjsonquery.cpp
-		frontendschema.cpp compressed_http.cpp debug_cmds.cpp jsonqueryfilter.cpp dynamic_idx.cpp sphinxexcerpt.cpp searchdexpr.cpp)
+		frontendschema.cpp compressed_http.cpp debug_cmds.cpp jsonqueryfilter.cpp dynamic_idx.cpp sphinxexcerpt.cpp searchdexpr.cpp
+		auth/auth.cpp auth/auth_common.cpp auth/auth_proto_http.cpp auth/auth_proto_mysql.cpp auth/auth_proto_api.cpp auth/auth_perms.cpp)
+
 target_sources ( lsearchd PUBLIC ${SEARCHD_SRCS_TESTABLE} ${SEARCHD_H} ${SEARCHD_BISON} ${SEARCHD_FLEX} )
 add_library ( digest_sha1 digest_sha1.cpp )
+add_library ( digest_sha256 digest_sha256.cpp )
 target_link_libraries ( digest_sha1 PRIVATE lextra )
-target_link_libraries ( lsearchd PUBLIC digest_sha1 lextra nlohmann_json::nlohmann_json )
+target_link_libraries ( digest_sha256 PRIVATE lextra )
+target_link_libraries ( lsearchd PUBLIC digest_sha1 digest_sha256 lextra nlohmann_json::nlohmann_json )
 target_link_libraries ( lsearchd INTERFACE Boost::filesystem )
 
 function (stackmock processors compiler versions config values)
@@ -332,9 +337,12 @@ if (WITH_SSL)
 	target_link_libraries ( searchd_ssl PRIVATE OpenSSL::Crypto )
 	target_link_libraries ( digest_sha1 PRIVATE OpenSSL::SSL )
 	target_link_libraries ( digest_sha1 PRIVATE OpenSSL::Crypto )
+	target_link_libraries ( digest_sha256 PRIVATE OpenSSL::SSL )
+	target_link_libraries ( digest_sha256 PRIVATE OpenSSL::Crypto )
 	if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux" OR ${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD")
 		target_link_options ( searchd_ssl INTERFACE $<${ONLYGNUCLANGC_CXX}:-Wl,--exclude-libs,libssl.a,--exclude-libs,libcrypto.a> )
 		target_link_options ( digest_sha1 INTERFACE $<${ONLYGNUCLANGC_CXX}:-Wl,--exclude-libs,libssl.a,--exclude-libs,libcrypto.a> )
+		target_link_options ( digest_sha256 INTERFACE $<${ONLYGNUCLANGC_CXX}:-Wl,--exclude-libs,libssl.a,--exclude-libs,libcrypto.a> )
 	endif()
 	target_compile_options ( searchd_ssl PRIVATE "$<$<COMPILE_LANG_AND_ID:CXX,GNU>:-Wno-deprecated-declarations>" )
 	include ( CheckFunctionExists )