From a3a2a24c97fb0b81f2dc2ce8b6034d3c7f244b36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Mon, 30 Jan 2017 17:01:16 +0200
Subject: [PATCH] Return correct value for failed db authentication

The unknown database error was never triggered as all authentication
errors returned MXS_AUTH_FAILED.
---
 .../modules/authenticator/MySQLAuth/dbusers.c | 27 ++++++++++++-------
 .../authenticator/MySQLAuth/mysql_auth.c      | 17 +++++++-----
 .../authenticator/MySQLAuth/mysql_auth.h      |  5 ++--
 3 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/server/modules/authenticator/MySQLAuth/dbusers.c b/server/modules/authenticator/MySQLAuth/dbusers.c
index 8a85027fc..20caf18a6 100644
--- a/server/modules/authenticator/MySQLAuth/dbusers.c
+++ b/server/modules/authenticator/MySQLAuth/dbusers.c
@@ -218,13 +218,13 @@ static int auth_cb(void *data, int columns, char** rows, char** row_names)
     return 0;
 }
 
-bool validate_mysql_user(sqlite3 *handle, DCB *dcb, MYSQL_session *session,
-                         uint8_t *scramble, size_t scramble_len)
+int validate_mysql_user(sqlite3 *handle, DCB *dcb, MYSQL_session *session,
+                        uint8_t *scramble, size_t scramble_len)
 {
     size_t len = sizeof(mysqlauth_validate_user_query) + strlen(session->user) * 2 +
                  strlen(session->db) * 2 + MYSQL_HOST_MAXLEN + session->auth_token_len * 4 + 1;
     char sql[len + 1];
-    bool rval = false;
+    int rval = MXS_AUTH_FAILED;
     char *err;
 
     sprintf(sql, mysqlauth_validate_user_query, session->user, dcb->remote,
@@ -259,18 +259,25 @@ bool validate_mysql_user(sqlite3 *handle, DCB *dcb, MYSQL_session *session,
     if (res.ok)
     {
         /** Found a matching row */
-        if (session->auth_token_len)
-        {
-            /** If authentication fails, this will trigger the right
-             * error message with `Using password : YES` */
-            session->client_sha1[0] = '_';
-        }
 
         if (check_password(res.output, session->auth_token, session->auth_token_len,
                            scramble, scramble_len, session->client_sha1))
         {
             /** Password is OK, check that the database exists */
-            rval = check_database(handle, session->db);
+            if (check_database(handle, session->db))
+            {
+                rval = MXS_AUTH_SUCCEEDED;
+            }
+            else
+            {
+                rval = MXS_AUTH_FAILED_DB;
+            }
+        }
+        else if (session->auth_token_len)
+        {
+            /** If authentication fails, this will trigger the right
+             * error message with `Using password : YES` */
+            session->client_sha1[0] = '_';
         }
     }
 
diff --git a/server/modules/authenticator/MySQLAuth/mysql_auth.c b/server/modules/authenticator/MySQLAuth/mysql_auth.c
index 554b4ff80..452a72d4f 100644
--- a/server/modules/authenticator/MySQLAuth/mysql_auth.c
+++ b/server/modules/authenticator/MySQLAuth/mysql_auth.c
@@ -268,17 +268,19 @@ mysql_auth_authenticate(DCB *dcb)
 
         MYSQL_AUTH *instance = (MYSQL_AUTH*)dcb->listener->auth_instance;
 
-        bool is_ok = validate_mysql_user(instance->handle, dcb, client_data,
-                                         protocol->scramble, sizeof(protocol->scramble));
+        auth_ret = validate_mysql_user(instance->handle, dcb, client_data,
+                                       protocol->scramble, sizeof(protocol->scramble));
 
-        if (!is_ok && !instance->skip_auth && service_refresh_users(dcb->service) == 0)
+        if (auth_ret != MXS_AUTH_SUCCEEDED &&
+            !instance->skip_auth &&
+            service_refresh_users(dcb->service) == 0)
         {
-            is_ok = validate_mysql_user(instance->handle, dcb, client_data,
-                                        protocol->scramble, sizeof(protocol->scramble));
+            auth_ret = validate_mysql_user(instance->handle, dcb, client_data,
+                                           protocol->scramble, sizeof(protocol->scramble));
         }
 
         /* on successful authentication, set user into dcb field */
-        if (is_ok || instance->skip_auth)
+        if (auth_ret == MXS_AUTH_SUCCEEDED || instance->skip_auth)
         {
             auth_ret = MXS_AUTH_SUCCEEDED;
             dcb->user = MXS_STRDUP_A(client_data->user);
@@ -616,8 +618,9 @@ int mysql_auth_reauthenticate(DCB *dcb, const char *user,
     temp.auth_token_len = token_len;
 
     MYSQL_AUTH *instance = (MYSQL_AUTH*)dcb->listener->auth_instance;
+    int rc = validate_mysql_user(instance->handle, dcb, &temp, scramble, scramble_len);
 
-    if (validate_mysql_user(instance->handle, dcb, &temp, scramble, scramble_len))
+    if (rc == MXS_AUTH_SUCCEEDED)
     {
         memcpy(output_token, temp.client_sha1, output_token_len);
         rval = 0;
diff --git a/server/modules/authenticator/MySQLAuth/mysql_auth.h b/server/modules/authenticator/MySQLAuth/mysql_auth.h
index 2c5982136..328ee8d87 100644
--- a/server/modules/authenticator/MySQLAuth/mysql_auth.h
+++ b/server/modules/authenticator/MySQLAuth/mysql_auth.h
@@ -29,6 +29,7 @@
 #include <stdint.h>
 #include <arpa/inet.h>
 
+#include <maxscale/authenticator.h>
 #include <maxscale/dcb.h>
 #include <maxscale/buffer.h>
 #include <maxscale/service.h>
@@ -185,9 +186,9 @@ int replace_mysql_users(SERV_LISTENER *listener);
  * @param scramble     The scramble sent to the client in the initial handshake
  * @param scramble_len Length of @c scramble
  *
- * @return True if the user has access to the database
+ * @return MXS_AUTH_SUCCEEDED if the user has access to the database
  */
-bool validate_mysql_user(sqlite3 *handle, DCB *dcb, MYSQL_session *session,
+int validate_mysql_user(sqlite3 *handle, DCB *dcb, MYSQL_session *session,
                          uint8_t *scramble, size_t scramble_len);
 
 MXS_END_DECLS