From: Harin Vadodaria Date: September 5 2012 11:41am Subject: bzr push into mysql-trunk branch (harin.vadodaria:4417 to 4418) WL#6486 List-Archive: http://lists.mysql.com/commits/144697 Message-Id: <20120905114155.20760.86725.4418@hvadodar-ThinkPad-T420> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit 4418 Harin Vadodaria 2012-09-05 wl#6486 : Refactoring user management code authentication / authorization) Description : Moved authentication related code to sql_authentication.h and sql_authentication.cc added: sql/auth/sql_authentication.h modified: sql/CMakeLists.txt sql/auth/auth_common.h sql/auth/sql_acl.cc sql/auth/sql_authentication.cc 4417 Harin Vadodaria 2012-09-04 wl#6486 : Refactoring user management code (authentication / authorization) Description : Moved authentication code to sql_authentication.cc added: sql/auth/sql_authentication.cc modified: sql/CMakeLists.txt sql/auth/sql_acl.cc === modified file 'sql/CMakeLists.txt' --- a/sql/CMakeLists.txt 2012-09-04 11:58:25 +0000 +++ b/sql/CMakeLists.txt 2012-09-05 11:40:51 +0000 @@ -44,7 +44,7 @@ SET(SQL_SHARED_SOURCES auth/sql_user.cc # auth/sql_user_table.cc auth/sql_user_cache.cc -# auth/sql_authentication.cc + auth/sql_authentication.cc datadict.cc debug_sync.cc derror.cc === modified file 'sql/auth/auth_common.h' --- a/sql/auth/auth_common.h 2012-09-04 07:22:36 +0000 +++ b/sql/auth/auth_common.h 2012-09-05 11:40:51 +0000 @@ -190,4 +190,25 @@ void set_user_salt(ACL_USER *acl_user, const char *password, uint password_len); #endif // NO_EMBEDDED_ACCESS_CHECKS +/** + Common Data Structures +*/ + +#ifndef NO_EMBEDDED_ACCESS_CHECKS +extern DYNAMIC_ARRAY acl_users, acl_dbs, acl_proxy_users; +extern hash_filo *acl_cache; +extern bool initialized; +#endif /* NO_EMBEDDED_ACCESS_CHECKS */ + + +/** + Common Functions +*/ + +void optimize_plugin_compare_by_pointer(LEX_STRING *plugin_name); +#ifndef NO_EMBEDDED_ACCESS_CHECKS +ACL_USER *find_acl_user(const char *host, const char *user, + my_bool exact); +#endif + #endif /* AUTH_COMMON_INCLUDED */ === modified file 'sql/auth/sql_acl.cc' --- a/sql/auth/sql_acl.cc 2012-09-04 11:58:25 +0000 +++ b/sql/auth/sql_acl.cc 2012-09-05 11:40:51 +0000 @@ -61,17 +61,18 @@ #endif #include "auth_common.h" +#include "sql_authentication.h" using std::min; using std::max; bool mysql_user_table_is_in_short_password_format= false; -static LEX_STRING native_password_plugin_name= { +LEX_STRING native_password_plugin_name= { C_STRING_WITH_LEN("mysql_native_password") }; -static LEX_STRING old_password_plugin_name= { +LEX_STRING old_password_plugin_name= { C_STRING_WITH_LEN("mysql_old_password") }; @@ -80,22 +81,15 @@ LEX_STRING sha256_password_plugin_name= C_STRING_WITH_LEN("sha256_password") }; #endif -static LEX_STRING validate_password_plugin_name= { - C_STRING_WITH_LEN("validate_password") -}; -LEX_STRING default_auth_plugin_name; - #ifndef NO_EMBEDDED_ACCESS_CHECKS -static plugin_ref old_password_plugin; +plugin_ref old_password_plugin; #endif -static plugin_ref native_password_plugin; +plugin_ref native_password_plugin; #define WARN_DEPRECATED_41_PWD_HASH(thd) \ WARN_DEPRECATED(thd, "pre-4.1 password hash", "post-4.1 password hash") -void optimize_plugin_compare_by_pointer(LEX_STRING *plugin_name); - bool auth_plugin_is_built_in(const char *plugin_name) { return (plugin_name == native_password_plugin_name.str || @@ -435,21 +429,19 @@ uchar* acl_entry_get_key(acl_entry *entr } -static DYNAMIC_ARRAY acl_users, acl_dbs, acl_proxy_users; +DYNAMIC_ARRAY acl_users, acl_dbs, acl_proxy_users; static MEM_ROOT global_acl_memory, memex; -static bool initialized=0; +bool initialized=0; static bool allow_all_hosts=1; static HASH acl_check_hosts, column_priv_hash, proc_priv_hash, func_priv_hash; static DYNAMIC_ARRAY acl_wild_hosts; -static hash_filo *acl_cache; +hash_filo *acl_cache; static ulong get_access(TABLE *form,uint fieldnr, uint *next_field=0); static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b); static ulong get_sort(uint count,...); static void init_check_host(void); static void rebuild_check_host(void); -static ACL_USER *find_acl_user(const char *host, const char *user, - my_bool exact); static bool update_user_table(THD *, TABLE *table, const char *host, const char *user, const char *new_password, @@ -1613,7 +1605,7 @@ bool is_acl_user(const char *host, const Find first entry that matches the current user */ -static ACL_USER * +ACL_USER * find_acl_user(const char *host, const char *user, my_bool exact) { DBUG_ENTER("find_acl_user"); @@ -7246,45 +7238,6 @@ bool sp_grant_privileges(THD *thd, const DBUG_RETURN(result); } -/** - Validate if a user can proxy as another user - - @thd current thread - @param user the logged in user (proxy user) - @param authenticated_as the effective user a plugin is trying to - impersonate as (proxied user) - @return proxy user definition - @retval NULL proxy user definition not found or not applicable - @retval non-null the proxy user data -*/ - -static ACL_PROXY_USER * -acl_find_proxy_user(const char *user, const char *host, const char *ip, - const char *authenticated_as, bool *proxy_used) -{ - uint i; - /* if the proxied and proxy user are the same return OK */ - DBUG_ENTER("acl_find_proxy_user"); - DBUG_PRINT("info", ("user=%s host=%s ip=%s authenticated_as=%s", - user, host, ip, authenticated_as)); - - if (!strcmp(authenticated_as, user)) - { - DBUG_PRINT ("info", ("user is the same as authenticated_as")); - DBUG_RETURN (NULL); - } - - *proxy_used= TRUE; - for (i=0; i < acl_proxy_users.elements; i++) - { - ACL_PROXY_USER *proxy= dynamic_element(&acl_proxy_users, i, - ACL_PROXY_USER *); - if (proxy->matches(host, user, ip, authenticated_as)) - DBUG_RETURN(proxy); - } - - DBUG_RETURN(NULL); -} bool acl_check_proxy_grant_access(THD *thd, const char *host, const char *user, @@ -7934,8 +7887,3 @@ get_cached_table_access(GRANT_INTERNAL_I return grant_internal_info->m_table_access; } -/************* temporary inclusion pending split */ -#include "sql_authentication.cc" -/*************************************************/ - - === modified file 'sql/auth/sql_authentication.cc' --- a/sql/auth/sql_authentication.cc 2012-09-04 11:58:25 +0000 +++ b/sql/auth/sql_authentication.cc 2012-09-05 11:40:51 +0000 @@ -1,4 +1,35 @@ +/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include "my_global.h" +#include "sql_acl.h" +#include "hash_filo.h" +#include "sql_connect.h" +#include +#include "sql_common.h" +#include "hostname.h" +#include "sql_db.h" +#include +#include "auth_common.h" +#include "sql_authentication.h" + +static LEX_STRING validate_password_plugin_name= { + C_STRING_WITH_LEN("validate_password") +}; + +LEX_STRING default_auth_plugin_name; /**************************************************************************** AUTHENTICATION CODE including initial connect handshake, invoking appropriate plugins, @@ -18,63 +49,48 @@ #define sslaccept(A,B,C) 1 #endif +#ifndef NO_EMBEDDED_ACCESS_CHECKS +/** + Validate if a user can proxy as another user + + @thd current thread + @param user the logged in user (proxy user) + @param authenticated_as the effective user a plugin is trying to + impersonate as (proxied user) + @return proxy user definition + @retval NULL proxy user definition not found or not applicable + @retval non-null the proxy user data +*/ -class Thd_charset_adapter +static ACL_PROXY_USER * +acl_find_proxy_user(const char *user, const char *host, const char *ip, + const char *authenticated_as, bool *proxy_used) { - THD *thd; -public: - Thd_charset_adapter(THD *thd_arg) : thd (thd_arg) {} - bool init_client_charset(uint cs_number) + uint i; + /* if the proxied and proxy user are the same return OK */ + DBUG_ENTER("acl_find_proxy_user"); + DBUG_PRINT("info", ("user=%s host=%s ip=%s authenticated_as=%s", + user, host, ip, authenticated_as)); + + if (!strcmp(authenticated_as, user)) { - if (thd_init_client_charset(thd, cs_number)) - return true; - thd->update_charset(); - return thd->is_error(); + DBUG_PRINT ("info", ("user is the same as authenticated_as")); + DBUG_RETURN (NULL); } - const CHARSET_INFO *charset() { return thd->charset(); } -}; + *proxy_used= TRUE; + for (i=0; i < acl_proxy_users.elements; i++) + { + ACL_PROXY_USER *proxy= dynamic_element(&acl_proxy_users, i, + ACL_PROXY_USER *); + if (proxy->matches(host, user, ip, authenticated_as)) + DBUG_RETURN(proxy); + } + DBUG_RETURN(NULL); +} +#endif -/** - The internal version of what plugins know as MYSQL_PLUGIN_VIO, - basically the context of the authentication session -*/ -struct MPVIO_EXT :public MYSQL_PLUGIN_VIO -{ - MYSQL_SERVER_AUTH_INFO auth_info; - const ACL_USER *acl_user; - plugin_ref plugin; ///< what plugin we're under - LEX_STRING db; ///< db name from the handshake packet - /** when restarting a plugin this caches the last client reply */ - struct { - char *plugin, *pkt; ///< pointers into NET::buff - uint pkt_len; - } cached_client_reply; - /** this caches the first plugin packet for restart request on the client */ - struct { - char *pkt; - uint pkt_len; - } cached_server_packet; - int packets_read, packets_written; ///< counters for send/received packets - /** when plugin returns a failure this tells us what really happened */ - enum { SUCCESS, FAILURE, RESTART } status; - - /* encapsulation members */ - ulong client_capabilities; - char *scramble; - MEM_ROOT *mem_root; - struct rand_struct *rand; - my_thread_id thread_id; - uint *server_status; - NET *net; - ulong max_client_packet_length; - char *ip; - char *host; - Thd_charset_adapter *charset_adapter; - LEX_STRING acl_user_plugin; - int vio_is_encrypted; -}; /** Sets the default default auth plugin value if no option was specified. === added file 'sql/auth/sql_authentication.h' --- a/sql/auth/sql_authentication.h 1970-01-01 00:00:00 +0000 +++ b/sql/auth/sql_authentication.h 2012-09-05 11:40:51 +0000 @@ -0,0 +1,83 @@ +#ifndef SQL_AUTHENTICATION_INCLUDED +#define SQL_AUTHENTICATION_INCLUDED + +class Thd_charset_adapter +{ + THD *thd; +public: + Thd_charset_adapter(THD *thd_arg) : thd (thd_arg) {} + bool init_client_charset(uint cs_number) + { + if (thd_init_client_charset(thd, cs_number)) + return true; + thd->update_charset(); + return thd->is_error(); + } + + const CHARSET_INFO *charset() { return thd->charset(); } +}; + + +/** + The internal version of what plugins know as MYSQL_PLUGIN_VIO, + basically the context of the authentication session +*/ +struct MPVIO_EXT :public MYSQL_PLUGIN_VIO +{ + MYSQL_SERVER_AUTH_INFO auth_info; + const ACL_USER *acl_user; + plugin_ref plugin; ///< what plugin we're under + LEX_STRING db; ///< db name from the handshake packet + /** when restarting a plugin this caches the last client reply */ + struct { + char *plugin, *pkt; ///< pointers into NET::buff + uint pkt_len; + } cached_client_reply; + /** this caches the first plugin packet for restart request on the client */ + struct { + char *pkt; + uint pkt_len; + } cached_server_packet; + int packets_read, packets_written; ///< counters for send/received packets + /** when plugin returns a failure this tells us what really happened */ + enum { SUCCESS, FAILURE, RESTART } status; + + /* encapsulation members */ + ulong client_capabilities; + char *scramble; + MEM_ROOT *mem_root; + struct rand_struct *rand; + my_thread_id thread_id; + uint *server_status; + NET *net; + ulong max_client_packet_length; + char *ip; + char *host; + Thd_charset_adapter *charset_adapter; + LEX_STRING acl_user_plugin; + int vio_is_encrypted; +}; + + +/** + Common Data Structures +*/ +extern LEX_STRING default_auth_plugin_name; +extern LEX_STRING native_password_plugin_name; +#if defined(HAVE_OPENSSL) +extern LEX_STRING sha256_password_plugin_name; +#endif +extern LEX_STRING old_password_plugin_name; + +#ifndef NO_EMBEDDED_ACCESS_CHECKS +extern plugin_ref old_password_plugin; +#endif +extern plugin_ref native_password_plugin; + + +/** + Common Functions +*/ +bool auth_plugin_is_built_in(const char *plugin_name); + +#endif /* SQL_AUTHENTICATION_INCLUDED */ No bundle (reason: useless for push emails).