MXS-1600: Add case-insensitive matching to MySQLAuth

The authenticator now supports similar identifier matching as the MariaDB server. The lower_case_table_names parameter explains its intended use (case-insensitive identifier matching): https://mariadb.com/kb/en/library/server-system-variables/#lower_case_table_names
2018-01-16 12:10:58 +02:00 · 2018-01-16 12:10:58 +02:00 · 5273cbada6
commit 5273cbada6
parent 76e53f2081
4 changed files with 36 additions and 8 deletions
--- a/Documentation/Authenticators/MySQL-Authenticator.md
+++ b/Documentation/Authenticators/MySQL-Authenticator.md
@ -67,3 +67,16 @@ injected into the list of users.
 ```
 authenticator_options=inject_service_user=false
 ```
+
+### `lower_case_table_names`
+
+Enable case-insensitive identifier matching for authentication. This parameter
+is disabled by default.
+
+The parameter functions exactly as the MariaDB Server system variable
+[lower_case_table_names](https://mariadb.com/kb/en/library/server-system-variables/#lower_case_table_names).
+This makes the matching done by the authenticator on database names to be
+case-insensitive by converting all names into their lowercase form.
+
+**Note:** The identifier names are converted using an ASCII-only function. This
+  means that non-ASCII characters will retain their case-sensitivity.
--- a/server/modules/authenticator/MySQLAuth/dbusers.c
+++ b/server/modules/authenticator/MySQLAuth/dbusers.c
@ -186,7 +186,10 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
                        uint8_t *scramble, size_t scramble_len)
 {
    sqlite3 *handle = instance->handle;
-    size_t len = sizeof(mysqlauth_validate_user_query) + strlen(session->user) * 2 +
+    const char* validate_query = instance->lower_case_table_names ?
+        mysqlauth_validate_user_query_lower :
+        mysqlauth_validate_user_query;
+    size_t len = strlen(validate_query) + 1 + strlen(session->user) * 2 +
                 strlen(session->db) * 2 + MYSQL_HOST_MAXLEN + session->auth_token_len * 4 + 1;
    char sql[len + 1];
    int rval = MXS_AUTH_FAILED;
@ -198,7 +201,7 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
    }
    else
    {
-        sprintf(sql, mysqlauth_validate_user_query, session->user, dcb->remote,
+        sprintf(sql, validate_query, session->user, dcb->remote,
                dcb->remote, session->db, session->db);
    }

@ -214,7 +217,7 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
    if (!res.ok && strchr(dcb->remote, ':') && strchr(dcb->remote, '.'))
    {
        const char *ipv4 = strrchr(dcb->remote, ':') + 1;
-        sprintf(sql, mysqlauth_validate_user_query, session->user, ipv4, ipv4,
+        sprintf(sql, validate_query, session->user, ipv4, ipv4,
                session->db, session->db);

        if (sqlite3_exec(handle, sql, auth_cb, &res, &err) != SQLITE_OK)
@ -233,7 +236,7 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
        char client_hostname[MYSQL_HOST_MAXLEN] = "";
        get_hostname(dcb, client_hostname, sizeof(client_hostname) - 1);

-        sprintf(sql, mysqlauth_validate_user_query, session->user, client_hostname,
+        sprintf(sql, validate_query, session->user, client_hostname,
                client_hostname, session->db, session->db);

        if (sqlite3_exec(handle, sql, auth_cb, &res, &err) != SQLITE_OK)
--- a/server/modules/authenticator/MySQLAuth/mysql_auth.c
+++ b/server/modules/authenticator/MySQLAuth/mysql_auth.c
@ -183,6 +183,7 @@ static void* mysql_auth_init(char **options)
        instance->cache_dir = NULL;
        instance->inject_service_user = true;
        instance->skip_auth = false;
+        instance->lower_case_table_names = false;
        instance->handle = NULL;

        for (int i = 0; options[i]; i++)
@ -209,6 +210,10 @@ static void* mysql_auth_init(char **options)
                {
                    instance->skip_auth = config_truth_value(value);
                }
+                else if (strcmp(options[i], "lower_case_table_names") == 0)
+                {
+                    instance->lower_case_table_names = config_truth_value(value);
+                }
                else
                {
                    MXS_ERROR("Unknown authenticator option: %s", options[i]);
--- a/server/modules/authenticator/MySQLAuth/mysql_auth.h
+++ b/server/modules/authenticator/MySQLAuth/mysql_auth.h
@ -66,6 +66,12 @@ static const char mysqlauth_validate_user_query[] =
    " WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)"
    " LIMIT 1";

+/** Query that checks if there's a grant for the user being authenticated */
+static const char mysqlauth_validate_user_query_lower[] =
+    "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME
+    " WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR LOWER('%s') LIKE LOWER(db))"
+    " LIMIT 1";
+
 /** Query that only checks if there's a matching user */
 static const char mysqlauth_skip_auth_query[] =
    "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME
@ -106,10 +112,11 @@ static int db_flags = SQLITE_OPEN_READWRITE |

 typedef struct mysql_auth
 {
-    sqlite3 *handle;          /**< SQLite3 database handle */
-    char *cache_dir;          /**< Custom cache directory location */
-    bool inject_service_user; /**< Inject the service user into the list of users */
-    bool skip_auth;           /**< Authentication will always be successful */
+    sqlite3 *handle;             /**< SQLite3 database handle */
+    char *cache_dir;             /**< Custom cache directory location */
+    bool inject_service_user;    /**< Inject the service user into the list of users */
+    bool skip_auth;              /**< Authentication will always be successful */
+    bool lower_case_table_names; /**< Disable database case-sensitivity */
 } MYSQL_AUTH;

 /** Common structure for both backend and client authenticators */