environmentd: pipe internal metadata around in http/ws router for self managed auth (#34328)

fixes MaterializeInc/database-issues#9680

<!--
Describe the contents of the PR briefly but completely.

If you write detailed commit messages, it is acceptable to copy/paste
them
here, or write "see commit messages for details." If there is only one
commit
in the PR, GitHub will have already added its commit message above.
-->

### Motivation

<!--
Which of the following best describes the motivation behind this PR?

  * This PR fixes a recognized bug.

    [Ensure issue is linked somewhere.]

  * This PR adds a known-desirable feature.

    [Ensure issue is linked somewhere.]

  * This PR fixes a previously unreported bug.

    [Describe the bug in detail, as if you were filing a bug report.]

  * This PR adds a feature that has not yet been specified.

[Write a brief specification for the feature, including justification
for its inclusion in Materialize, as if you were writing the original
     feature specification.]

   * This PR refactors existing code.

[Describe what was wrong with the existing code, if it is not obvious.]
-->

### Tips for reviewer

<!--
Leave some tips for your reviewer, like:

    * The diff is much smaller if viewed with whitespace hidden.
    * [Some function/module/file] deserves extra attention.
* [Some function/module/file] is pure code movement and only needs a
skim.

Delete this section if no tips.
-->

### Checklist

- [ ] This PR has adequate test coverage / QA involvement has been duly
considered. ([trigger-ci for additional test/nightly
runs](https://trigger-ci.dev.materialize.com/))
- [ ] This PR has an associated up-to-date [design
doc](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/README.md),
is a design doc
([template](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/00000000_template.md)),
or is sufficiently small to not require a design.
  <!-- Reference the design in the description. -->
- [ ] If this PR evolves [an existing `$T ⇔ Proto$T`
mapping](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/command-and-response-binary-encoding.md)
(possibly in a backwards-incompatible way), then it is tagged with a
`T-proto` label.
- [ ] If this PR will require changes to cloud orchestration or tests,
there is a companion cloud PR to account for those changes that is
tagged with the release-blocker label
([example](MaterializeInc/cloud#5021)).
<!-- Ask in #team-cloud on Slack if you need help preparing the cloud
PR. -->
- [ ] If this PR includes major [user-facing behavior
changes](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/guide-changes.md#what-changes-require-a-release-note),
I have pinged the relevant PM to schedule a changelog post.

Author: DAlperin

src/environmentd/src/http.rs

@@ -52,7 +52,7 @@ use mz_ore::metrics::MetricsRegistry;
 use mz_ore::now::{NowFn, SYSTEM_TIME, epoch_to_uuid_v7};
 use mz_ore::str::StrExt;
 use mz_pgwire_common::{ConnectionCounter, ConnectionHandle};
-use mz_repr::user::ExternalUserMetadata;
+use mz_repr::user::{ExternalUserMetadata, InternalUserMetadata};
 use mz_server_core::listeners::{AllowedRoles, AuthenticatorKind, HttpRoutesEnabled};
 use mz_server_core::{Connection, ConnectionHandler, ReloadingSslContext, Server};
 use mz_sql::session::metadata::SessionMetadata;
@@ -529,9 +529,11 @@ async fn x_materialize_user_header_auth(mut req: Request, next: Next) -> impl In
                 )));
             }
         };
+        let superuser = matches!(username.as_str(), SYSTEM_USER_NAME);
         req.extensions_mut().insert(AuthedUser {
             name: username,
             external_metadata_rx: None,
+            internal_metadata: Some(InternalUserMetadata { superuser }),
         });
     }
     Ok(next.run(req).await)
@@ -549,6 +551,7 @@ enum ConnProtocol {
 pub struct AuthedUser {
     name: String,
     external_metadata_rx: Option<watch::Receiver<ExternalUserMetadata>>,
+    internal_metadata: Option<InternalUserMetadata>,
 }
 
 pub struct AuthedClient {
@@ -577,8 +580,7 @@ impl AuthedClient {
             user: user.name,
             client_ip: Some(peer_addr),
             external_metadata_rx: user.external_metadata_rx,
-            //TODO(dov): Add support for internal user metadata when we support auth here
-            internal_user_metadata: None,
+            internal_user_metadata: user.internal_metadata,
             helm_chart_version,
         });
         let connection_guard = active_connection_counter.allocate_connection(session.user())?;
@@ -741,16 +743,22 @@ pub async fn handle_login(
     let Ok(adapter_client) = adapter_client_rx.clone().await else {
         return StatusCode::INTERNAL_SERVER_ERROR;
     };
-    if let Err(err) = adapter_client.authenticate(&username, &password).await {
-        warn!(?err, "HTTP login failed authentication");
-        return StatusCode::UNAUTHORIZED;
+    let auth_response = match adapter_client.authenticate(&username, &password).await {
+        Ok(auth_response) => auth_response,
+        Err(err) => {
+            warn!(?err, "HTTP login failed authentication");
+            return StatusCode::UNAUTHORIZED;
+        }
     };
 
     // Create session data
     let session_data = TowerSessionData {
         username,
         created_at: SystemTime::now(),
         last_activity: SystemTime::now(),
+        internal_metadata: InternalUserMetadata {
+            superuser: auth_response.superuser,
+        },
     };
     // Store session data
     let session = session.and_then(|Extension(session)| Some(session));
@@ -807,6 +815,7 @@ async fn http_auth(
             req.extensions_mut().insert(AuthedUser {
                 name: session_data.username,
                 external_metadata_rx: None,
+                internal_metadata: Some(session_data.internal_metadata),
             });
             return Ok(next.run(req).await);
         }
@@ -966,22 +975,21 @@ async fn auth(
     allowed_roles: AllowedRoles,
     include_www_authenticate_header: bool,
 ) -> Result<AuthedUser, AuthError> {
-    // TODO pass session data here?
-    let (name, external_metadata_rx) = match authenticator {
+    let (name, external_metadata_rx, internal_metadata) = match authenticator {
         Authenticator::Frontegg(frontegg) => match creds {
             Some(Credentials::Password { username, password }) => {
                 let auth_session = frontegg.authenticate(&username, &password.0).await?;
                 let name = auth_session.user().into();
                 let external_metadata_rx = Some(auth_session.external_metadata_rx());
-                (name, external_metadata_rx)
+                (name, external_metadata_rx, None)
             }
             Some(Credentials::Token { token }) => {
                 let claims = frontegg.validate_access_token(&token, None)?;
                 let (_, external_metadata_rx) = watch::channel(ExternalUserMetadata {
                     user_id: claims.user_id,
                     admin: claims.is_admin,
                 });
-                (claims.user, Some(external_metadata_rx))
+                (claims.user, Some(external_metadata_rx), None)
             }
             None => {
                 return Err(AuthError::MissingHttpAuthentication {
@@ -991,10 +999,14 @@ async fn auth(
         },
         Authenticator::Password(adapter_client) => match creds {
             Some(Credentials::Password { username, password }) => {
-                if let Err(_) = adapter_client.authenticate(&username, &password).await {
-                    return Err(AuthError::InvalidCredentials);
-                }
-                (username, None)
+                let auth_response = adapter_client
+                    .authenticate(&username, &password)
+                    .await
+                    .map_err(|_| AuthError::InvalidCredentials)?;
+                let internal_metadata = InternalUserMetadata {
+                    superuser: auth_response.superuser,
+                };
+                (username, None, Some(internal_metadata))
             }
             _ => {
                 return Err(AuthError::MissingHttpAuthentication {
@@ -1018,7 +1030,7 @@ async fn auth(
                 Some(Credentials::Password { username, .. }) => username,
                 _ => HTTP_DEFAULT_USER.name.to_owned(),
             };
-            (name, None)
+            (name, None, None)
         }
     };
 
@@ -1027,6 +1039,7 @@ async fn auth(
     Ok(AuthedUser {
         name,
         external_metadata_rx,
+        internal_metadata,
     })
 }
 
@@ -1093,6 +1106,7 @@ pub struct TowerSessionData {
     username: String,
     created_at: SystemTime,
     last_activity: SystemTime,
+    internal_metadata: InternalUserMetadata,
 }
 
 #[cfg(test)]

src/environmentd/src/http/sql.rs

@@ -311,6 +311,7 @@ pub async fn handle_sql_ws(
                 Some(AuthedUser {
                     name: session_data.username,
                     external_metadata_rx: None,
+                    internal_metadata: Some(session_data.internal_metadata),
                 })
             } else {
                 None

src/environmentd/tests/auth.rs

@@ -3631,3 +3631,206 @@ async fn test_password_auth_http() {
         }
     }
 }
+
+/// Tests that the superuser flag is correctly propagated through HTTP/WebSocket authentication.
+/// This is a regression test for a bug where WebSocket connections always had superuser=false
+/// because internal_user_metadata was hardcoded to None.
+#[mz_ore::test(tokio::test(flavor = "multi_thread", worker_threads = 1))]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `OPENSSL_init_ssl` on OS `linux`
+async fn test_password_auth_http_superuser() {
+    let metrics_registry = MetricsRegistry::new();
+
+    let server = test_util::TestHarness::default()
+        .with_system_parameter_default(
+            "log_filter".to_string(),
+            "mz_frontegg_auth=debug,info".to_string(),
+        )
+        .with_system_parameter_default("enable_password_auth".to_string(), "true".to_string())
+        .with_password_auth(Password("mz_system_password".to_owned()))
+        .with_metrics_registry(metrics_registry)
+        .start()
+        .await;
+
+    let mz_system_client = server
+        .connect()
+        .no_tls()
+        .user("mz_system")
+        .password("mz_system_password")
+        .await
+        .unwrap();
+    mz_system_client
+        .execute(
+            "CREATE ROLE superuser_role WITH LOGIN SUPERUSER PASSWORD 'super_pass'",
+            &[],
+        )
+        .await
+        .unwrap();
+    mz_system_client
+        .execute(
+            "CREATE ROLE normal_role WITH LOGIN PASSWORD 'normal_pass'",
+            &[],
+        )
+        .await
+        .unwrap();
+
+    let ws_url: Uri = format!("ws://{}/api/experimental/sql", server.http_local_addr())
+        .parse()
+        .unwrap();
+    let login_url: Uri = format!("http://{}/api/login", server.http_local_addr())
+        .parse()
+        .unwrap();
+
+    let http_client = hyper_util::client::legacy::Client::builder(TokioExecutor::new())
+        .pool_idle_timeout(Duration::from_secs(10))
+        .build_http();
+
+    fn check_superuser_via_ws_basic(ws_url: &Uri, user: &str, password: &str) -> bool {
+        let ws_request = ClientRequestBuilder::new(ws_url.clone());
+        let (mut ws, _resp) = tungstenite::connect(ws_request).unwrap();
+
+        let auth = WebSocketAuth::Basic {
+            user: user.to_string(),
+            password: Password(password.to_string()),
+            options: BTreeMap::default(),
+        };
+        ws.send(Message::Text(serde_json::to_string(&auth).unwrap()))
+            .unwrap();
+
+        loop {
+            let resp = ws.read().unwrap();
+            if let Message::Text(msg) = resp {
+                let msg: WebSocketResponse = serde_json::from_str(&msg).unwrap();
+                if matches!(msg, WebSocketResponse::ReadyForQuery(_)) {
+                    break;
+                }
+            }
+        }
+
+        ws.send(Message::Text(
+            r#"{"query": "SHOW is_superuser"}"#.to_owned(),
+        ))
+        .unwrap();
+
+        loop {
+            let resp = ws.read().unwrap();
+            if let Message::Text(msg) = resp {
+                let msg: WebSocketResponse = serde_json::from_str(&msg).unwrap();
+                if let WebSocketResponse::Row(row) = msg {
+                    let value = row[0].as_str().unwrap();
+                    return value == "on";
+                }
+            }
+        }
+    }
+
+    async fn check_superuser_via_ws_session(
+        http_client: &hyper_util::client::legacy::Client<
+            hyper_util::client::legacy::connect::HttpConnector,
+            String,
+        >,
+        login_url: &Uri,
+        ws_url: &Uri,
+        user: &str,
+        password: &str,
+    ) -> bool {
+        let login_body = format!(r#"{{"username":"{}","password":"{}"}}"#, user, password);
+        let login_response = http_client
+            .request(
+                Request::post(login_url.clone())
+                    .header("Content-Type", "application/json")
+                    .body(login_body)
+                    .unwrap(),
+            )
+            .await
+            .unwrap();
+
+        assert_eq!(login_response.status(), StatusCode::OK);
+
+        let session_cookie = login_response
+            .headers()
+            .get(SET_COOKIE)
+            .unwrap()
+            .to_str()
+            .unwrap()
+            .split("; ")
+            .find(|v| v.starts_with("mz_session="))
+            .unwrap();
+
+        let ws_request =
+            ClientRequestBuilder::new(ws_url.clone()).with_header("Cookie", session_cookie);
+        let (mut ws, _resp) = tungstenite::connect(ws_request).unwrap();
+
+        ws.send(Message::Text(r#"{"options": {}}"#.to_owned()))
+            .unwrap();
+
+        loop {
+            let resp = ws.read().unwrap();
+            if let Message::Text(msg) = resp {
+                let msg: WebSocketResponse = serde_json::from_str(&msg).unwrap();
+                if matches!(msg, WebSocketResponse::ReadyForQuery(_)) {
+                    break;
+                }
+            }
+        }
+
+        ws.send(Message::Text(
+            r#"{"query": "SHOW is_superuser"}"#.to_owned(),
+        ))
+        .unwrap();
+
+        loop {
+            let resp = ws.read().unwrap();
+            if let Message::Text(msg) = resp {
+                let msg: WebSocketResponse = serde_json::from_str(&msg).unwrap();
+                if let WebSocketResponse::Row(row) = msg {
+                    let value = row[0].as_str().unwrap();
+                    return value == "on";
+                }
+            }
+        }
+    }
+
+    // Superuser via WebSocket with Basic auth should have is_superuser=on
+    assert!(
+        check_superuser_via_ws_basic(&ws_url, "superuser_role", "super_pass"),
+        "superuser_role should have is_superuser=on via WebSocket Basic auth"
+    );
+
+    // Non-superuser via WebSocket with Basic auth should have is_superuser=off
+    assert!(
+        !check_superuser_via_ws_basic(&ws_url, "normal_role", "normal_pass"),
+        "normal_role should have is_superuser=off via WebSocket Basic auth"
+    );
+
+    // Superuser via WebSocket with session cookie should have is_superuser=on
+    assert!(
+        check_superuser_via_ws_session(
+            &http_client,
+            &login_url,
+            &ws_url,
+            "superuser_role",
+            "super_pass"
+        )
+        .await,
+        "superuser_role should have is_superuser=on via WebSocket session auth"
+    );
+
+    // Non-superuser via WebSocket with session cookie should have is_superuser=off
+    assert!(
+        !check_superuser_via_ws_session(
+            &http_client,
+            &login_url,
+            &ws_url,
+            "normal_role",
+            "normal_pass"
+        )
+        .await,
+        "normal_role should have is_superuser=off via WebSocket session auth"
+    );
+
+    // mz_system (internal user) via Basic auth should have is_superuser=on
+    assert!(
+        check_superuser_via_ws_basic(&ws_url, "mz_system", "mz_system_password"),
+        "mz_system should have is_superuser=on via WebSocket Basic auth"
+    );
+}

src/repr/src/user.rs

@@ -7,7 +7,7 @@
 // the Business Source License, use of this software will be governed
 // by the Apache License, Version 2.0.
 
-use serde::Serialize;
+use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
 /// Metadata about a user in an external system.
@@ -19,7 +19,7 @@ pub struct ExternalUserMetadata {
     pub admin: bool,
 }
 
-#[derive(Debug, Clone, Serialize)]
+#[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct InternalUserMetadata {
     pub superuser: bool,
 }