hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Uncrustify maxscale

Browse Source 
See script directory for method. The script to run in the top level
MaxScale directory is called maxscale-uncrustify.sh, which uses
another script, list-src, from the same directory (so you need to set
your PATH). The uncrustify version was 0.66.
This commit is contained in:
Niclas Antti
2018-09-09 22:26:19 +03:00
parent fa7ec95069
commit c447e5cf15
849 changed files with 35002 additions and 27238 deletions
Download Patch File Download Diff File Expand all files Collapse all files

417
server/modules/authenticator/MySQLAuth/dbusers.cc
View File

@ -43,7 +43,8 @@
/** MySQL 5.7 password column name */
#define MYSQL57_PASSWORD "authentication_string"
#define NEW_LOAD_DBUSERS_QUERY "SELECT u.user, u.host, d.db, u.select_priv, u.%s \
#define NEW_LOAD_DBUSERS_QUERY \
"SELECT u.user, u.host, d.db, u.select_priv, u.%s \
FROM mysql.user AS u LEFT JOIN mysql.db AS d \
ON (u.user = d.user AND u.host = d.host) WHERE u.plugin IN ('', 'mysql_native_password') %s \
UNION \
@ -51,83 +52,83 @@
FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t \
ON (u.user = t.user AND u.host = t.host) WHERE u.plugin IN ('', 'mysql_native_password') %s"
// Query used with MariaDB 10.1 and newer, supports roles
const char* mariadb_users_query =
// First, select all users
"SELECT t.user, t.host, t.db, t.select_priv, t.password FROM "
"( "
" SELECT u.user, u.host, d.db, u.select_priv, u.password AS password, u.is_role "
" FROM mysql.user AS u LEFT JOIN mysql.db AS d "
" ON (u.user = d.user AND u.host = d.host) "
" UNION "
" SELECT u.user, u.host, t.db, u.select_priv, u.password AS password, u.is_role "
" FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t "
" ON (u.user = t.user AND u.host = t.host) "
") AS t "
// Discard any users that are roles
"WHERE t.is_role <> 'Y' %s "
"UNION "
// Then select all users again
"SELECT r.user, r.host, u.db, u.select_priv, t.password FROM "
"( "
" SELECT u.user, u.host, d.db, u.select_priv, u.password AS password, u.default_role "
" FROM mysql.user AS u LEFT JOIN mysql.db AS d "
" ON (u.user = d.user AND u.host = d.host) "
" UNION "
" SELECT u.user, u.host, t.db, u.select_priv, u.password AS password, u.default_role "
" FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t "
" ON (u.user = t.user AND u.host = t.host) "
") AS t "
// Join it to the roles_mapping table to only have users with roles
"JOIN mysql.roles_mapping AS r "
"ON (r.user = t.user AND r.host = t.host) "
// Then join it into itself to get the privileges of the role with the name of the user
"JOIN "
"( "
" SELECT u.user, u.host, d.db, u.select_priv, u.password AS password, u.is_role "
" FROM mysql.user AS u LEFT JOIN mysql.db AS d "
" ON (u.user = d.user AND u.host = d.host) "
" UNION "
" SELECT u.user, u.host, t.db, u.select_priv, u.password AS password, u.is_role "
" FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t "
" ON (u.user = t.user AND u.host = t.host) "
") AS u "
"ON (u.user = r.role AND u.is_role = 'Y') "
// We only care about users that have a default role assigned
"WHERE t.default_role = u.user %s;";
// Query used with MariaDB 10.1 and newer, supports roles
const char* mariadb_users_query
= // First, select all users
"SELECT t.user, t.host, t.db, t.select_priv, t.password FROM "
"( "
" SELECT u.user, u.host, d.db, u.select_priv, u.password AS password, u.is_role "
" FROM mysql.user AS u LEFT JOIN mysql.db AS d "
" ON (u.user = d.user AND u.host = d.host) "
" UNION "
" SELECT u.user, u.host, t.db, u.select_priv, u.password AS password, u.is_role "
" FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t "
" ON (u.user = t.user AND u.host = t.host) "
") AS t "
// Discard any users that are roles
"WHERE t.is_role <> 'Y' %s "
"UNION "
// Then select all users again
"SELECT r.user, r.host, u.db, u.select_priv, t.password FROM "
"( "
" SELECT u.user, u.host, d.db, u.select_priv, u.password AS password, u.default_role "
" FROM mysql.user AS u LEFT JOIN mysql.db AS d "
" ON (u.user = d.user AND u.host = d.host) "
" UNION "
" SELECT u.user, u.host, t.db, u.select_priv, u.password AS password, u.default_role "
" FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t "
" ON (u.user = t.user AND u.host = t.host) "
") AS t "
// Join it to the roles_mapping table to only have users with roles
"JOIN mysql.roles_mapping AS r "
"ON (r.user = t.user AND r.host = t.host) "
// Then join it into itself to get the privileges of the role with the name of the user
"JOIN "
"( "
" SELECT u.user, u.host, d.db, u.select_priv, u.password AS password, u.is_role "
" FROM mysql.user AS u LEFT JOIN mysql.db AS d "
" ON (u.user = d.user AND u.host = d.host) "
" UNION "
" SELECT u.user, u.host, t.db, u.select_priv, u.password AS password, u.is_role "
" FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t "
" ON (u.user = t.user AND u.host = t.host) "
") AS u "
"ON (u.user = r.role AND u.is_role = 'Y') "
// We only care about users that have a default role assigned
"WHERE t.default_role = u.user %s;";
static int get_users(SERV_LISTENER *listener, bool skip_local);
static MYSQL *gw_mysql_init(void);
static int gw_mysql_set_timeouts(MYSQL* handle);
static char *mysql_format_user_entry(void *data);
static bool get_hostname(DCB *dcb, char *client_hostname, size_t size);
static int get_users(SERV_LISTENER* listener, bool skip_local);
static MYSQL* gw_mysql_init(void);
static int gw_mysql_set_timeouts(MYSQL* handle);
static char* mysql_format_user_entry(void* data);
static bool get_hostname(DCB* dcb, char* client_hostname, size_t size);
static char* get_mariadb_users_query(bool include_root)
{
const char *root = include_root ? "" : " AND t.user NOT IN ('root')";
const char* root = include_root ? "" : " AND t.user NOT IN ('root')";
size_t n_bytes = snprintf(NULL, 0, mariadb_users_query, root, root);
char *rval = static_cast<char*>(MXS_MALLOC(n_bytes + 1));
char* rval = static_cast<char*>(MXS_MALLOC(n_bytes + 1));
MXS_ABORT_IF_NULL(rval);
snprintf(rval, n_bytes + 1, mariadb_users_query, root, root);
return rval;
}
static char* get_users_query(const char *server_version, bool include_root, bool is_mariadb)
static char* get_users_query(const char* server_version, bool include_root, bool is_mariadb)
{
if (is_mariadb) // 10.1.1 or newer, supports default roles
if (is_mariadb) // 10.1.1 or newer, supports default roles
{
return get_mariadb_users_query(include_root);
}
// Either an older MariaDB version or a MySQL variant, use the legacy query
const char* password = strstr(server_version, "5.7.") || strstr(server_version, "8.0.")
? MYSQL57_PASSWORD : MYSQL_PASSWORD;
const char *with_root = include_root ? "" : " AND u.user NOT IN ('root')";
? MYSQL57_PASSWORD : MYSQL_PASSWORD;
const char* with_root = include_root ? "" : " AND u.user NOT IN ('root')";
size_t n_bytes = snprintf(NULL, 0, NEW_LOAD_DBUSERS_QUERY, password, with_root, password, with_root);
char *rval = static_cast<char*>(MXS_MALLOC(n_bytes + 1));
char* rval = static_cast<char*>(MXS_MALLOC(n_bytes + 1));
if (rval)
{
@ -137,14 +138,18 @@ static char* get_users_query(const char *server_version, bool include_root, bool
return rval;
}
int replace_mysql_users(SERV_LISTENER *listener, bool skip_local)
int replace_mysql_users(SERV_LISTENER* listener, bool skip_local)
{
int i = get_users(listener, skip_local);
return i;
}
static bool check_password(const char *output, uint8_t *token, size_t token_len,
uint8_t *scramble, size_t scramble_len, uint8_t *phase2_scramble)
static bool check_password(const char* output,
uint8_t* token,
size_t token_len,
uint8_t* scramble,
size_t scramble_len,
uint8_t* phase2_scramble)
{
uint8_t stored_token[SHA_DIGEST_LENGTH] = {};
size_t stored_token_len = sizeof(stored_token);
@ -192,14 +197,14 @@ static bool check_password(const char *output, uint8_t *token, size_t token_len,
}
/** Callback for check_database() */
static int database_cb(void *data, int columns, char** rows, char** row_names)
static int database_cb(void* data, int columns, char** rows, char** row_names)
{
bool *rval = (bool*)data;
bool* rval = (bool*)data;
*rval = true;
return 0;
}
static bool check_database(sqlite3 *handle, const char *database)
static bool check_database(sqlite3* handle, const char* database)
{
bool rval = true;
@ -211,7 +216,7 @@ static bool check_database(sqlite3 *handle, const char *database)
sprintf(sql, mysqlauth_validate_database_query, database);
char *err;
char* err;
if (sqlite3_exec(handle, sql, database_cb, &rval, &err) != SQLITE_OK)
{
@ -224,7 +229,7 @@ static bool check_database(sqlite3 *handle, const char *database)
return rval;
}
static bool no_password_required(const char *result, size_t tok_len)
static bool no_password_required(const char* result, size_t tok_len)
{
return *result == '\0' && tok_len == 0;
}
@ -237,26 +242,29 @@ struct user_query_result
};
/** @brief Callback for sqlite3_exec() */
static int auth_cb(void *data, int columns, char** rows, char** row_names)
static int auth_cb(void* data, int columns, char** rows, char** row_names)
{
struct user_query_result *res = (struct user_query_result*)data;
struct user_query_result* res = (struct user_query_result*)data;
strcpy(res->output, rows[0] ? rows[0] : "");
res->ok = true;
return 0;
}
int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
uint8_t *scramble, size_t scramble_len)
int validate_mysql_user(MYSQL_AUTH* instance,
DCB* dcb,
MYSQL_session* session,
uint8_t* scramble,
size_t scramble_len)
{
sqlite3 *handle = get_handle(instance);
const char* validate_query = instance->lower_case_table_names ?
mysqlauth_validate_user_query_lower :
mysqlauth_validate_user_query;
size_t len = strlen(validate_query) + 1 + strlen(session->user) * 2 +
strlen(session->db) * 2 + MYSQL_HOST_MAXLEN + session->auth_token_len * 4 + 1;
sqlite3* handle = get_handle(instance);
const char* validate_query = instance->lower_case_table_names
? mysqlauth_validate_user_query_lower
: mysqlauth_validate_user_query;
size_t len = strlen(validate_query) + 1 + strlen(session->user) * 2
+ strlen(session->db) * 2 + MYSQL_HOST_MAXLEN + session->auth_token_len * 4 + 1;
char sql[len + 1];
int rval = MXS_AUTH_FAILED;
char *err;
char* err;
if (instance->skip_auth)
{
@ -264,8 +272,13 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
}
else
{
sprintf(sql, validate_query, session->user, dcb->remote,
dcb->remote, session->db, session->db);
sprintf(sql,
validate_query,
session->user,
dcb->remote,
dcb->remote,
session->db,
session->db);
}
struct user_query_result res = {};
@ -279,9 +292,14 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
/** Check for IPv6 mapped IPv4 address */
if (!res.ok && strchr(dcb->remote, ':') && strchr(dcb->remote, '.'))
{
const char *ipv4 = strrchr(dcb->remote, ':') + 1;
sprintf(sql, validate_query, session->user, ipv4, ipv4,
session->db, session->db);
const char* ipv4 = strrchr(dcb->remote, ':') + 1;
sprintf(sql,
validate_query,
session->user,
ipv4,
ipv4,
session->db,
session->db);
if (sqlite3_exec(handle, sql, auth_cb, &res, &err) != SQLITE_OK)
{
@ -299,8 +317,13 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
char client_hostname[MYSQL_HOST_MAXLEN] = "";
get_hostname(dcb, client_hostname, sizeof(client_hostname) - 1);
sprintf(sql, validate_query, session->user, client_hostname,
client_hostname, session->db, session->db);
sprintf(sql,
validate_query,
session->user,
client_hostname,
client_hostname,
session->db,
session->db);
if (sqlite3_exec(handle, sql, auth_cb, &res, &err) != SQLITE_OK)
{
@ -313,9 +336,13 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
{
/** Found a matching row */
if (no_password_required(res.output, session->auth_token_len) ||
check_password(res.output, session->auth_token, session->auth_token_len,
scramble, scramble_len, session->client_sha1))
if (no_password_required(res.output, session->auth_token_len)
|| check_password(res.output,
session->auth_token,
session->auth_token_len,
scramble,
scramble_len,
session->client_sha1))
{
/** Password is OK, check that the database exists */
if (check_database(handle, session->db))
@ -337,13 +364,13 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
*
* @param handle SQLite handle
*/
static bool delete_mysql_users(sqlite3 *handle)
static bool delete_mysql_users(sqlite3* handle)
{
bool rval = true;
char *err;
char* err;
if (sqlite3_exec(handle, delete_users_query, NULL, NULL, &err) != SQLITE_OK ||
sqlite3_exec(handle, delete_databases_query, NULL, NULL, &err) != SQLITE_OK)
if (sqlite3_exec(handle, delete_users_query, NULL, NULL, &err) != SQLITE_OK
|| sqlite3_exec(handle, delete_databases_query, NULL, NULL, &err) != SQLITE_OK)
{
MXS_ERROR("Failed to delete old users: %s", err);
sqlite3_free(err);
@ -363,20 +390,20 @@ static bool delete_mysql_users(sqlite3 *handle)
* @param host The hostname, which is modified in-place. If merging is unsuccessful,
* it may end up garbled.
*/
static void merge_netmask(char *host)
static void merge_netmask(char* host)
{
char *delimiter_loc = strchr(host, '/');
char* delimiter_loc = strchr(host, '/');
if (delimiter_loc == NULL)
{
return; // Nothing to do
return; // Nothing to do
}
/* If anything goes wrong, we put the '/' back in to ensure the hostname
* cannot be used.
*/
*delimiter_loc = '\0';
char *ip_token_loc = host;
char *mask_token_loc = delimiter_loc + 1; // This is at minimum a \0
char* ip_token_loc = host;
char* mask_token_loc = delimiter_loc + 1; // This is at minimum a \0
while (ip_token_loc && mask_token_loc)
{
@ -396,7 +423,8 @@ static void merge_netmask(char *host)
*/
*delimiter_loc = '/';
MXS_ERROR("Unrecognized IP-bytes in host/mask-combination. "
"Merge incomplete: %s", host);
"Merge incomplete: %s",
host);
return;
}
@ -412,14 +440,19 @@ static void merge_netmask(char *host)
{
*delimiter_loc = '/';
MXS_ERROR("Unequal number of IP-bytes in host/mask-combination. "
"Merge incomplete: %s", host);
"Merge incomplete: %s",
host);
}
}
void add_mysql_user(sqlite3 *handle, const char *user, const char *host,
const char *db, bool anydb, const char *pw)
void add_mysql_user(sqlite3* handle,
const char* user,
const char* host,
const char* db,
bool anydb,
const char* pw)
{
size_t dblen = db && *db ? strlen(db) + 2 : sizeof(null_token); /** +2 for single quotes */
size_t dblen = db && *db ? strlen(db) + 2 : sizeof(null_token); /** +2 for single quotes */
char dbstr[dblen + 1];
if (db && *db)
@ -431,7 +464,7 @@ void add_mysql_user(sqlite3 *handle, const char *user, const char *host,
strcpy(dbstr, null_token);
}
size_t pwlen = pw && *pw ? strlen(pw) + 2 : sizeof(null_token); /** +2 for single quotes */
size_t pwlen = pw && *pw ? strlen(pw) + 2 : sizeof(null_token); /** +2 for single quotes */
char pwstr[pwlen + 1];
if (pw && *pw)
@ -442,7 +475,9 @@ void add_mysql_user(sqlite3 *handle, const char *user, const char *host,
"backend database. MaxScale does not support these "
"old passwords. This user will not be able to connect "
"via MaxScale. Update the users password to correct "
"this.", user, host);
"this.",
user,
host);
return;
}
else if (*pw == '*')
@ -461,7 +496,7 @@ void add_mysql_user(sqlite3 *handle, const char *user, const char *host,
char insert_sql[len + 1];
sprintf(insert_sql, insert_user_query, user, host, dbstr, anydb ? "1" : "0", pwstr);
char *err;
char* err;
if (sqlite3_exec(handle, insert_sql, NULL, NULL, &err) != SQLITE_OK)
{
MXS_ERROR("Failed to insert user: %s", err);
@ -471,14 +506,14 @@ void add_mysql_user(sqlite3 *handle, const char *user, const char *host,
MXS_INFO("Added user: %s", insert_sql);
}
static void add_database(sqlite3 *handle, const char *db)
static void add_database(sqlite3* handle, const char* db)
{
size_t len = sizeof(insert_database_query) + strlen(db) + 1;
char insert_sql[len + 1];
sprintf(insert_sql, insert_database_query, db);
char *err;
char* err;
if (sqlite3_exec(handle, insert_sql, NULL, NULL, &err) != SQLITE_OK)
{
MXS_ERROR("Failed to insert database: %s", err);
@ -491,7 +526,7 @@ static void add_database(sqlite3 *handle, const char *db)
*
* @return An object or NULL if something fails.
*/
MYSQL *gw_mysql_init()
MYSQL* gw_mysql_init()
{
MYSQL* con = mysql_init(NULL);
@ -528,22 +563,25 @@ static int gw_mysql_set_timeouts(MYSQL* handle)
MXS_CONFIG* cnf = config_get_global_options();
if ((rc = mysql_optionsv(handle, MYSQL_OPT_READ_TIMEOUT,
(void *) &cnf->auth_read_timeout)))
if ((rc = mysql_optionsv(handle,
MYSQL_OPT_READ_TIMEOUT,
(void*) &cnf->auth_read_timeout)))
{
MXS_ERROR("Failed to set read timeout for backend connection.");
goto retblock;
}
if ((rc = mysql_optionsv(handle, MYSQL_OPT_CONNECT_TIMEOUT,
(void *) &cnf->auth_conn_timeout)))
if ((rc = mysql_optionsv(handle,
MYSQL_OPT_CONNECT_TIMEOUT,
(void*) &cnf->auth_conn_timeout)))
{
MXS_ERROR("Failed to set connect timeout for backend connection.");
goto retblock;
}
if ((rc = mysql_optionsv(handle, MYSQL_OPT_WRITE_TIMEOUT,
(void *) &cnf->auth_write_timeout)))
if ((rc = mysql_optionsv(handle,
MYSQL_OPT_WRITE_TIMEOUT,
(void*) &cnf->auth_write_timeout)))
{
MXS_ERROR("Failed to set write timeout for backend connection.");
goto retblock;
@ -562,10 +600,12 @@ retblock:
* @return True if the service permissions are OK, false if one or more permissions
* are missing.
*/
static bool check_server_permissions(SERVICE *service, SERVER* server,
const char* user, const char* password)
static bool check_server_permissions(SERVICE* service,
SERVER* server,
const char* user,
const char* password)
{
MYSQL *mysql = gw_mysql_init();
MYSQL* mysql = gw_mysql_init();
if (mysql == NULL)
{
@ -584,8 +624,12 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
MXS_ERROR("[%s] Failed to connect to server '%s' ([%s]:%d) when"
" checking authentication user credentials and permissions: %d %s",
service->name, server->name, server->address, server->port,
my_errno, mysql_error(mysql));
service->name,
server->name,
server->address,
server->port,
my_errno,
mysql_error(mysql));
mysql_close(mysql);
return my_errno != ER_ACCESS_DENIED_ERROR;
@ -602,8 +646,8 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
}
const char* format = "SELECT user, host, %s, Select_priv FROM mysql.user limit 1";
const char* query_pw = strstr(server->version_string, "5.7.") ?
MYSQL57_PASSWORD : MYSQL_PASSWORD;
const char* query_pw = strstr(server->version_string, "5.7.")
? MYSQL57_PASSWORD : MYSQL_PASSWORD;
char query[strlen(format) + strlen(query_pw) + 1];
bool rval = true;
sprintf(query, format, query_pw);
@ -614,13 +658,17 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
{
MXS_ERROR("[%s] User '%s' is missing SELECT privileges"
" on mysql.user table. MySQL error message: %s",
service->name, user, mysql_error(mysql));
service->name,
user,
mysql_error(mysql));
rval = false;
}
else
{
MXS_ERROR("[%s] Failed to query from mysql.user table."
" MySQL error message: %s", service->name, mysql_error(mysql));
" MySQL error message: %s",
service->name,
mysql_error(mysql));
}
}
else
@ -630,7 +678,9 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
if (res == NULL)
{
MXS_ERROR("[%s] Result retrieval failed when checking for permissions to "
"the mysql.user table: %s", service->name, mysql_error(mysql));
"the mysql.user table: %s",
service->name,
mysql_error(mysql));
}
else
{
@ -644,12 +694,16 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
{
MXS_WARNING("[%s] User '%s' is missing SELECT privileges on mysql.db table. "
"Database name will be ignored in authentication. "
"MySQL error message: %s", service->name, user, mysql_error(mysql));
"MySQL error message: %s",
service->name,
user,
mysql_error(mysql));
}
else
{
MXS_ERROR("[%s] Failed to query from mysql.db table. MySQL error message: %s",
service->name, mysql_error(mysql));
service->name,
mysql_error(mysql));
}
}
else
@ -658,7 +712,9 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
if (res == NULL)
{
MXS_ERROR("[%s] Result retrieval failed when checking for permissions "
"to the mysql.db table: %s", service->name, mysql_error(mysql));
"to the mysql.db table: %s",
service->name,
mysql_error(mysql));
}
else
{
@ -672,12 +728,17 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
{
MXS_WARNING("[%s] User '%s' is missing SELECT privileges on mysql.tables_priv table. "
"Database name will be ignored in authentication. "
"MySQL error message: %s", service->name, user, mysql_error(mysql));
"MySQL error message: %s",
service->name,
user,
mysql_error(mysql));
}
else
{
MXS_ERROR("[%s] Failed to query from mysql.tables_priv table. "
"MySQL error message: %s", service->name, mysql_error(mysql));
"MySQL error message: %s",
service->name,
mysql_error(mysql));
}
}
else
@ -686,7 +747,9 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
if (res == NULL)
{
MXS_ERROR("[%s] Result retrieval failed when checking for permissions "
"to the mysql.tables_priv table: %s", service->name, mysql_error(mysql));
"to the mysql.tables_priv table: %s",
service->name,
mysql_error(mysql));
}
else
{
@ -695,7 +758,8 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
}
// Check whether the current user has the SHOW DATABASES privilege
if (mxs_mysql_query(mysql, "SELECT show_db_priv FROM mysql.user "
if (mxs_mysql_query(mysql,
"SELECT show_db_priv FROM mysql.user "
"WHERE CONCAT(user, '@', host) = CURRENT_USER()") == 0)
{
MYSQL_RES* res = mysql_use_result(mysql);
@ -707,7 +771,8 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
{
MXS_WARNING("[%s] User '%s' is missing the SHOW DATABASES privilege. "
"This means that MaxScale cannot see all databases and authentication can fail.",
service->name, user);
service->name,
user);
}
mysql_free_result(res);
@ -721,9 +786,9 @@ static bool check_server_permissions(SERVICE *service, SERVER* server,
bool check_service_permissions(SERVICE* service)
{
if (rcap_type_required(service_get_capabilities(service), RCAP_TYPE_NO_AUTH) ||
config_get_global_options()->skip_permission_checks ||
service->dbref == NULL) // No servers to check
if (rcap_type_required(service_get_capabilities(service), RCAP_TYPE_NO_AUTH)
|| config_get_global_options()->skip_permission_checks
|| service->dbref == NULL) // No servers to check
{
return true;
}
@ -733,13 +798,13 @@ bool check_service_permissions(SERVICE* service)
serviceGetUser(service, &user, &password);
char *dpasswd = decrypt_password(password);
char* dpasswd = decrypt_password(password);
bool rval = false;
for (SERVER_REF *server = service->dbref; server; server = server->next)
for (SERVER_REF* server = service->dbref; server; server = server->next)
{
if (server_is_mxs_service(server->server) ||
check_server_permissions(service, server->server, user, dpasswd))
if (server_is_mxs_service(server->server)
|| check_server_permissions(service, server->server, user, dpasswd))
{
rval = true;
}
@ -760,32 +825,37 @@ bool check_service_permissions(SERVICE* service)
*
* @return True if the hostname query was successful
*/
static bool get_hostname(DCB *dcb, char *client_hostname, size_t size)
static bool get_hostname(DCB* dcb, char* client_hostname, size_t size)
{
struct addrinfo *ai = NULL, hint = {};
struct addrinfo* ai = NULL, hint = {};
hint.ai_flags = AI_ALL;
int rc;
if ((rc = getaddrinfo(dcb->remote, NULL, &hint, &ai)) != 0)
{
MXS_ERROR("Failed to obtain address for host %s, %s",
dcb->remote, gai_strerror(rc));
dcb->remote,
gai_strerror(rc));
return false;
}
/* Try to lookup the domain name of the given IP-address. This is a slow
* i/o-operation, which will stall the entire thread. TODO: cache results
* if this feature is used often. */
int lookup_result = getnameinfo(ai->ai_addr, ai->ai_addrlen,
client_hostname, size,
NULL, 0, // No need for the port
NI_NAMEREQD); // Text address only
int lookup_result = getnameinfo(ai->ai_addr,
ai->ai_addrlen,
client_hostname,
size,
NULL,
0, // No need for the port
NI_NAMEREQD); // Text address only
freeaddrinfo(ai);
if (lookup_result != 0 && lookup_result != EAI_NONAME)
{
MXS_WARNING("Client hostname lookup failed for '%s', getnameinfo() returned: '%s'.",
dcb->remote, gai_strerror(lookup_result));
dcb->remote,
gai_strerror(lookup_result));
}
return lookup_result == 0;
@ -799,8 +869,9 @@ static bool roles_are_available(MYSQL* conn, SERVICE* service, SERVER* server)
{
static bool log_missing_privs = true;
if (mxs_mysql_query(conn, "SET @roles_are_available=(SELECT 1 FROM mysql.roles_mapping LIMIT 1)") == 0 &&
mxs_mysql_query(conn, "SET @roles_are_available=(SELECT default_role FROM mysql.user LIMIT 1)") == 0)
if (mxs_mysql_query(conn, "SET @roles_are_available=(SELECT 1 FROM mysql.roles_mapping LIMIT 1)") == 0
&& mxs_mysql_query(conn,
"SET @roles_are_available=(SELECT default_role FROM mysql.user LIMIT 1)") == 0)
{
rval = true;
}
@ -810,24 +881,26 @@ static bool roles_are_available(MYSQL* conn, SERVICE* service, SERVER* server)
MXS_WARNING("The user for service '%s' might be missing the SELECT grant on "
"`mysql.roles_mapping` or `mysql.user`. Use of default roles is disabled "
"until the missing privileges are added. Error was: %s",
service->name, mysql_error(conn));
service->name,
mysql_error(conn));
}
}
return rval;
}
int get_users_from_server(MYSQL *con, SERVER_REF *server_ref, SERVICE *service, SERV_LISTENER *listener)
int get_users_from_server(MYSQL* con, SERVER_REF* server_ref, SERVICE* service, SERV_LISTENER* listener)
{
if (server_ref->server->version_string[0] == 0)
{
mxs_mysql_set_server_version(con, server_ref->server);
}
char *query = get_users_query(server_ref->server->version_string, service->enable_root,
char* query = get_users_query(server_ref->server->version_string,
service->enable_root,
roles_are_available(con, service, server_ref->server));
MYSQL_AUTH *instance = (MYSQL_AUTH*)listener->auth_instance;
MYSQL_AUTH* instance = (MYSQL_AUTH*)listener->auth_instance;
sqlite3* handle = get_handle(instance);
int users = 0;
@ -835,7 +908,7 @@ int get_users_from_server(MYSQL *con, SERVER_REF *server_ref, SERVICE *service,
{
if (mxs_mysql_query(con, query) == 0)
{
MYSQL_RES *result = mysql_store_result(con);
MYSQL_RES* result = mysql_store_result(con);
if (result)
{
@ -853,8 +926,12 @@ int get_users_from_server(MYSQL *con, SERVER_REF *server_ref, SERVICE *service,
merge_netmask(row[1]);
}
add_mysql_user(handle, row[0], row[1], row[2],
row[3] && strcmp(row[3], "Y") == 0, row[4]);
add_mysql_user(handle,
row[0],
row[1],
row[2],
row[3] && strcmp(row[3], "Y") == 0,
row[4]);
users++;
}
@ -872,7 +949,7 @@ int get_users_from_server(MYSQL *con, SERVER_REF *server_ref, SERVICE *service,
/** Load the list of databases */
if (mxs_mysql_query(con, "SHOW DATABASES") == 0)
{
MYSQL_RES *result = mysql_store_result(con);
MYSQL_RES* result = mysql_store_result(con);
if (result)
{
MYSQL_ROW row;
@ -900,15 +977,15 @@ int get_users_from_server(MYSQL *con, SERVER_REF *server_ref, SERVICE *service,
* @param users The users table into which to load the users
* @return -1 on any error or the number of users inserted
*/
static int get_users(SERV_LISTENER *listener, bool skip_local)
static int get_users(SERV_LISTENER* listener, bool skip_local)
{
const char *service_user = NULL;
const char *service_passwd = NULL;
SERVICE *service = listener->service;
const char* service_user = NULL;
const char* service_passwd = NULL;
SERVICE* service = listener->service;
serviceGetUser(service, &service_user, &service_passwd);
char *dpwd = decrypt_password(service_passwd);
char* dpwd = decrypt_password(service_passwd);
if (dpwd == NULL)
{
@ -916,33 +993,36 @@ static int get_users(SERV_LISTENER *listener, bool skip_local)
}
/** Delete the old users */
MYSQL_AUTH *instance = (MYSQL_AUTH*)listener->auth_instance;
MYSQL_AUTH* instance = (MYSQL_AUTH*)listener->auth_instance;
sqlite3* handle = get_handle(instance);
delete_mysql_users(handle);
SERVER_REF *server = service->dbref;
SERVER_REF* server = service->dbref;
int total_users = -1;
bool no_active_servers = true;
for (server = service->dbref; !maxscale_is_shutting_down() && server; server = server->next)
{
if (!SERVER_REF_IS_ACTIVE(server) || !server_is_active(server->server) ||
(skip_local && server_is_mxs_service(server->server)))
if (!SERVER_REF_IS_ACTIVE(server) || !server_is_active(server->server)
|| (skip_local && server_is_mxs_service(server->server)))
{
continue;
}
no_active_servers = false;
MYSQL *con = gw_mysql_init();
MYSQL* con = gw_mysql_init();
if (con)
{
if (mxs_mysql_real_connect(con, server->server, service_user, dpwd) == NULL)
{
MXS_ERROR("Failure loading users data from backend "
"[%s:%i] for service [%s]. MySQL error %i, %s",
server->server->address, server->server->port,
service->name, mysql_errno(con), mysql_error(con));
server->server->address,
server->server->port,
service->name,
mysql_errno(con),
mysql_error(con));
mysql_close(con);
}
else
@ -975,7 +1055,8 @@ static int get_users(SERV_LISTENER *listener, bool skip_local)
else if (server == NULL && total_users == -1)
{
MXS_ERROR("Unable to get user data from backend database for service [%s]."
" Failed to connect to any of the backend databases.", service->name);
" Failed to connect to any of the backend databases.",
service->name);
}
return total_users;

315
server/modules/authenticator/MySQLAuth/mysql_auth.cc
View File

@ -37,36 +37,38 @@
#include <maxscale/utils.h>
#include <maxscale/routingworker.h>
static void* mysql_auth_init(char **options);
static bool mysql_auth_set_protocol_data(DCB *dcb, GWBUF *buf);
static bool mysql_auth_is_client_ssl_capable(DCB *dcb);
static int mysql_auth_authenticate(DCB *dcb);
static void mysql_auth_free_client_data(DCB *dcb);
static int mysql_auth_load_users(SERV_LISTENER *port);
static void *mysql_auth_create(void *instance);
static void mysql_auth_destroy(void *data);
static void* mysql_auth_init(char** options);
static bool mysql_auth_set_protocol_data(DCB* dcb, GWBUF* buf);
static bool mysql_auth_is_client_ssl_capable(DCB* dcb);
static int mysql_auth_authenticate(DCB* dcb);
static void mysql_auth_free_client_data(DCB* dcb);
static int mysql_auth_load_users(SERV_LISTENER* port);
static void* mysql_auth_create(void* instance);
static void mysql_auth_destroy(void* data);
static int combined_auth_check(
DCB *dcb,
uint8_t *auth_token,
size_t auth_token_len,
MySQLProtocol *protocol,
char *username,
uint8_t *stage1_hash,
char *database
);
static bool mysql_auth_set_client_data(
MYSQL_session *client_data,
MySQLProtocol *protocol,
GWBUF *buffer);
static int combined_auth_check(DCB* dcb,
uint8_t* auth_token,
size_t auth_token_len,
MySQLProtocol* protocol,
char* username,
uint8_t* stage1_hash,
char* database
);
static bool mysql_auth_set_client_data(MYSQL_session* client_data,
MySQLProtocol* protocol,
GWBUF* buffer);
void mysql_auth_diagnostic(DCB *dcb, SERV_LISTENER *port);
json_t* mysql_auth_diagnostic_json(const SERV_LISTENER *port);
void mysql_auth_diagnostic(DCB* dcb, SERV_LISTENER* port);
json_t* mysql_auth_diagnostic_json(const SERV_LISTENER* port);
int mysql_auth_reauthenticate(DCB *dcb, const char *user,
uint8_t *token, size_t token_len,
uint8_t *scramble, size_t scramble_len,
uint8_t *output_token, size_t output_token_len);
int mysql_auth_reauthenticate(DCB* dcb,
const char* user,
uint8_t* token,
size_t token_len,
uint8_t* scramble,
size_t scramble_len,
uint8_t* output_token,
size_t output_token_len);
extern "C"
{
@ -78,45 +80,44 @@ extern "C"
*
* @return The module object
*/
MXS_MODULE* MXS_CREATE_MODULE()
{
static MXS_AUTHENTICATOR MyObject =
MXS_MODULE* MXS_CREATE_MODULE()
{
mysql_auth_init, /* Initialize the authenticator */
NULL, /* Create entry point */
mysql_auth_set_protocol_data, /* Extract data into structure */
mysql_auth_is_client_ssl_capable, /* Check if client supports SSL */
mysql_auth_authenticate, /* Authenticate user credentials */
mysql_auth_free_client_data, /* Free the client data held in DCB */
NULL, /* Destroy entry point */
mysql_auth_load_users, /* Load users from backend databases */
mysql_auth_diagnostic,
mysql_auth_diagnostic_json,
mysql_auth_reauthenticate /* Handle COM_CHANGE_USER */
};
static MXS_AUTHENTICATOR MyObject =
{
mysql_auth_init, /* Initialize the authenticator */
NULL, /* Create entry point */
mysql_auth_set_protocol_data, /* Extract data into structure */
mysql_auth_is_client_ssl_capable, /* Check if client supports SSL */
mysql_auth_authenticate, /* Authenticate user credentials */
mysql_auth_free_client_data, /* Free the client data held in DCB */
NULL, /* Destroy entry point */
mysql_auth_load_users, /* Load users from backend databases */
mysql_auth_diagnostic,
mysql_auth_diagnostic_json,
mysql_auth_reauthenticate /* Handle COM_CHANGE_USER */
};
static MXS_MODULE info =
{
MXS_MODULE_API_AUTHENTICATOR,
MXS_MODULE_GA,
MXS_AUTHENTICATOR_VERSION,
"The MySQL client to MaxScale authenticator implementation",
"V1.1.0",
ACAP_TYPE_ASYNC,
&MyObject,
NULL, /* Process init. */
NULL, /* Process finish. */
NULL, /* Thread init. */
NULL, /* Thread finish. */
{ { MXS_END_MODULE_PARAMS} }
};
static MXS_MODULE info =
{
MXS_MODULE_API_AUTHENTICATOR,
MXS_MODULE_GA,
MXS_AUTHENTICATOR_VERSION,
"The MySQL client to MaxScale authenticator implementation",
"V1.1.0",
ACAP_TYPE_ASYNC,
&MyObject,
NULL, /* Process init. */
NULL, /* Process finish. */
NULL, /* Thread init. */
NULL, /* Thread finish. */
{{MXS_END_MODULE_PARAMS}}
};
return &info;
return &info;
}
}
}
static bool open_instance_database(const char *path, sqlite3 **handle)
static bool open_instance_database(const char* path, sqlite3** handle)
{
int rc = sqlite3_open_v2(path, handle, db_flags, NULL);
@ -126,11 +127,11 @@ static bool open_instance_database(const char *path, sqlite3 **handle)
return false;
}
char *err;
char* err;
if (sqlite3_exec(*handle, users_create_sql, NULL, NULL, &err) != SQLITE_OK ||
sqlite3_exec(*handle, databases_create_sql, NULL, NULL, &err) != SQLITE_OK ||
sqlite3_exec(*handle, pragma_sql, NULL, NULL, &err) != SQLITE_OK)
if (sqlite3_exec(*handle, users_create_sql, NULL, NULL, &err) != SQLITE_OK
|| sqlite3_exec(*handle, databases_create_sql, NULL, NULL, &err) != SQLITE_OK
|| sqlite3_exec(*handle, pragma_sql, NULL, NULL, &err) != SQLITE_OK)
{
MXS_ERROR("Failed to create database: %s", err);
sqlite3_free(err);
@ -148,7 +149,7 @@ sqlite3* get_handle(MYSQL_AUTH* instance)
if (instance->handles[i] == NULL)
{
MXB_AT_DEBUG(bool rval = )open_instance_database(":memory:", &instance->handles[i]);
MXB_AT_DEBUG(bool rval = ) open_instance_database(":memory:", &instance->handles[i]);
mxb_assert(rval);
}
@ -174,12 +175,12 @@ static bool should_check_permissions(MYSQL_AUTH* instance)
* @param options Authenticator options
* @return New MYSQL_AUTH instance or NULL on error
*/
static void* mysql_auth_init(char **options)
static void* mysql_auth_init(char** options)
{
MYSQL_AUTH *instance = static_cast<MYSQL_AUTH*>(MXS_MALLOC(sizeof(*instance)));
MYSQL_AUTH* instance = static_cast<MYSQL_AUTH*>(MXS_MALLOC(sizeof(*instance)));
if (instance &&
(instance->handles = static_cast<sqlite3**>(MXS_CALLOC(config_threadcount(), sizeof(sqlite3*)))))
if (instance
&& (instance->handles = static_cast<sqlite3**>(MXS_CALLOC(config_threadcount(), sizeof(sqlite3*)))))
{
bool error = false;
instance->cache_dir = NULL;
@ -190,7 +191,7 @@ static void* mysql_auth_init(char **options)
for (int i = 0; options[i]; i++)
{
char *value = strchr(options[i], '=');
char* value = strchr(options[i], '=');
if (value)
{
@ -198,8 +199,8 @@ static void* mysql_auth_init(char **options)
if (strcmp(options[i], "cache_dir") == 0)
{
if ((instance->cache_dir = MXS_STRDUP(value)) == NULL ||
!clean_up_pathname(instance->cache_dir))
if ((instance->cache_dir = MXS_STRDUP(value)) == NULL
|| !clean_up_pathname(instance->cache_dir))
{
error = true;
}
@ -246,13 +247,13 @@ static void* mysql_auth_init(char **options)
return instance;
}
static bool is_localhost_address(struct sockaddr_storage *addr)
static bool is_localhost_address(struct sockaddr_storage* addr)
{
bool rval = false;
if (addr->ss_family == AF_INET)
{
struct sockaddr_in *ip = (struct sockaddr_in*)addr;
struct sockaddr_in* ip = (struct sockaddr_in*)addr;
if (ip->sin_addr.s_addr == INADDR_LOOPBACK)
{
rval = true;
@ -260,7 +261,7 @@ static bool is_localhost_address(struct sockaddr_storage *addr)
}
else if (addr->ss_family == AF_INET6)
{
struct sockaddr_in6 *ip = (struct sockaddr_in6*)addr;
struct sockaddr_in6* ip = (struct sockaddr_in6*)addr;
if (memcmp(&ip->sin6_addr, &in6addr_loopback, sizeof(ip->sin6_addr)) == 0)
{
rval = true;
@ -280,26 +281,32 @@ static bool is_localhost_address(struct sockaddr_storage *addr)
* @return Authentication status
* @note Authentication status codes are defined in maxscale/protocol/mysql.h
*/
static int
mysql_auth_authenticate(DCB *dcb)
static int mysql_auth_authenticate(DCB* dcb)
{
int auth_ret = ssl_authenticate_check_status(dcb);
MYSQL_session *client_data = (MYSQL_session *)dcb->data;
MYSQL_session* client_data = (MYSQL_session*)dcb->data;
if (auth_ret == MXS_AUTH_SSL_COMPLETE && *client_data->user)
{
MXS_DEBUG("Receiving connection from '%s' to database '%s'.",
client_data->user, client_data->db);
client_data->user,
client_data->db);
MYSQL_AUTH *instance = (MYSQL_AUTH*)dcb->listener->auth_instance;
MySQLProtocol *protocol = DCB_PROTOCOL(dcb, MySQLProtocol);
auth_ret = validate_mysql_user(instance, dcb, client_data,
protocol->scramble, sizeof(protocol->scramble));
MYSQL_AUTH* instance = (MYSQL_AUTH*)dcb->listener->auth_instance;
MySQLProtocol* protocol = DCB_PROTOCOL(dcb, MySQLProtocol);
auth_ret = validate_mysql_user(instance,
dcb,
client_data,
protocol->scramble,
sizeof(protocol->scramble));
if (auth_ret != MXS_AUTH_SUCCEEDED &&
service_refresh_users(dcb->service) == 0)
if (auth_ret != MXS_AUTH_SUCCEEDED
&& service_refresh_users(dcb->service) == 0)
{
auth_ret = validate_mysql_user(instance, dcb, client_data,
protocol->scramble, sizeof(protocol->scramble));
auth_ret = validate_mysql_user(instance,
dcb,
client_data,
protocol->scramble,
sizeof(protocol->scramble));
}
/* on successful authentication, set user into dcb field */
@ -327,21 +334,30 @@ mysql_auth_authenticate(DCB *dcb)
{
MXS_LOG_EVENT(maxscale::event::AUTHENTICATION_FAILURE,
"%s: login attempt for user '%s'@[%s]:%s, authentication failed. %s",
dcb->service->name, client_data->user, dcb->remote, dcb->path, extra);
dcb->service->name,
client_data->user,
dcb->remote,
dcb->path,
extra);
}
else
{
MXS_LOG_EVENT(maxscale::event::AUTHENTICATION_FAILURE,
"%s: login attempt for user '%s'@[%s]:%d, authentication failed. %s",
dcb->service->name, client_data->user, dcb->remote, dcb_get_port(dcb), extra);
dcb->service->name,
client_data->user,
dcb->remote,
dcb_get_port(dcb),
extra);
}
if (is_localhost_address(&dcb->ip) &&
!dcb->service->localhost_match_wildcard_host)
if (is_localhost_address(&dcb->ip)
&& !dcb->service->localhost_match_wildcard_host)
{
MXS_NOTICE("If you have a wildcard grant that covers this address, "
"try adding 'localhost_match_wildcard_host=true' for "
"service '%s'. ", dcb->service->name);
"service '%s'. ",
dcb->service->name);
}
}
@ -370,15 +386,14 @@ mysql_auth_authenticate(DCB *dcb)
* @param buffer Pointer to pointer to buffer containing data from client
* @return True on success, false on error
*/
static bool
mysql_auth_set_protocol_data(DCB *dcb, GWBUF *buf)
static bool mysql_auth_set_protocol_data(DCB* dcb, GWBUF* buf)
{
MySQLProtocol *protocol = NULL;
MYSQL_session *client_data = NULL;
MySQLProtocol* protocol = NULL;
MYSQL_session* client_data = NULL;
int client_auth_packet_size = 0;
protocol = DCB_PROTOCOL(dcb, MySQLProtocol);
client_data = (MYSQL_session *)dcb->data;
client_data = (MYSQL_session*)dcb->data;
client_auth_packet_size = gwbuf_length(buf);
@ -418,11 +433,9 @@ mysql_auth_set_protocol_data(DCB *dcb, GWBUF *buf)
* @param client_auth_packet size An integer giving the size of the data
* @return True on success, false on error
*/
static bool
mysql_auth_set_client_data(
MYSQL_session *client_data,
MySQLProtocol *protocol,
GWBUF *buffer)
static bool mysql_auth_set_client_data(MYSQL_session* client_data,
MySQLProtocol* protocol,
GWBUF* buffer)
{
int client_auth_packet_size = gwbuf_length(buffer);
uint8_t client_auth_packet[client_auth_packet_size];
@ -457,12 +470,14 @@ mysql_auth_set_client_data(
{
/* Extra 1 is for the terminating null after user name */
packet_length_used = MYSQL_AUTH_PACKET_BASE_SIZE + user_length + 1;
/* We should find an authentication token next */
/* One byte of packet is the length of authentication token */
/*
* We should find an authentication token next
* One byte of packet is the length of authentication token
*/
client_data->auth_token_len = client_auth_packet[packet_length_used];
if (client_auth_packet_size >
(packet_length_used + client_data->auth_token_len))
if (client_auth_packet_size
> (packet_length_used + client_data->auth_token_len))
{
client_data->auth_token = (uint8_t*)MXS_MALLOC(client_data->auth_token_len);
@ -504,10 +519,9 @@ mysql_auth_set_client_data(
* @param dcb Request handler DCB connected to the client
* @return Boolean indicating whether client is SSL capable
*/
static bool
mysql_auth_is_client_ssl_capable(DCB *dcb)
static bool mysql_auth_is_client_ssl_capable(DCB* dcb)
{
MySQLProtocol *protocol;
MySQLProtocol* protocol;
protocol = DCB_PROTOCOL(dcb, MySQLProtocol);
return (protocol->client_capabilities & (int)GW_MYSQL_CAPABILITIES_SSL) ? true : false;
@ -525,8 +539,7 @@ mysql_auth_is_client_ssl_capable(DCB *dcb)
*
* @param dcb Request handler DCB connected to the client
*/
static void
mysql_auth_free_client_data(DCB *dcb)
static void mysql_auth_free_client_data(DCB* dcb)
{
MXS_FREE(dcb->data);
}
@ -537,10 +550,10 @@ mysql_auth_free_client_data(DCB *dcb)
* @param port Service listener
* @return True on success, false on error
*/
static bool add_service_user(SERV_LISTENER *port)
static bool add_service_user(SERV_LISTENER* port)
{
const char *user = NULL;
const char *password = NULL;
const char* user = NULL;
const char* password = NULL;
bool rval = false;
serviceGetUser(port->service, &user, &password);
@ -549,11 +562,11 @@ static bool add_service_user(SERV_LISTENER *port)
if ((pw = decrypt_password(password)))
{
char *newpw = create_hex_sha1_sha1_passwd(pw);
char* newpw = create_hex_sha1_sha1_passwd(pw);
if (newpw)
{
MYSQL_AUTH *inst = (MYSQL_AUTH*)port->auth_instance;
MYSQL_AUTH* inst = (MYSQL_AUTH*)port->auth_instance;
sqlite3* handle = get_handle(inst);
add_mysql_user(handle, user, "%", "", "Y", newpw);
add_mysql_user(handle, user, "localhost", "", "Y", newpw);
@ -592,11 +605,11 @@ static bool service_has_servers(SERVICE* service)
* @return MXS_AUTH_LOADUSERS_OK on success, MXS_AUTH_LOADUSERS_ERROR and
* MXS_AUTH_LOADUSERS_FATAL on fatal error
*/
static int mysql_auth_load_users(SERV_LISTENER *port)
static int mysql_auth_load_users(SERV_LISTENER* port)
{
int rc = MXS_AUTH_LOADUSERS_OK;
SERVICE *service = port->listener->service;
MYSQL_AUTH *instance = (MYSQL_AUTH*)port->auth_instance;
SERVICE* service = port->listener->service;
MYSQL_AUTH* instance = (MYSQL_AUTH*)port->auth_instance;
bool first_load = false;
if (should_check_permissions(instance))
@ -618,8 +631,11 @@ static int mysql_auth_load_users(SERV_LISTENER *port)
{
if (loaded < 0)
{
MXS_ERROR("[%s] Unable to load users for listener %s listening at [%s]:%d.", service->name,
port->name, port->address ? port->address : "::", port->port);
MXS_ERROR("[%s] Unable to load users for listener %s listening at [%s]:%d.",
service->name,
port->name,
port->address ? port->address : "::",
port->port);
}
if (instance->inject_service_user)
@ -643,13 +659,15 @@ static int mysql_auth_load_users(SERV_LISTENER *port)
{
MXS_NOTICE("[%s] No users were loaded but 'inject_service_user' is enabled. "
"Enabling service credentials for authentication until "
"database users have been successfully loaded.", service->name);
"database users have been successfully loaded.",
service->name);
}
}
else if (loaded == 0 && !first_load)
{
MXS_WARNING("[%s]: failed to load any user information. Authentication"
" will probably fail as a result.", service->name);
" will probably fail as a result.",
service->name);
}
else if (loaded > 0 && first_load)
{
@ -659,12 +677,16 @@ static int mysql_auth_load_users(SERV_LISTENER *port)
return rc;
}
int mysql_auth_reauthenticate(DCB *dcb, const char *user,
uint8_t *token, size_t token_len,
uint8_t *scramble, size_t scramble_len,
uint8_t *output_token, size_t output_token_len)
int mysql_auth_reauthenticate(DCB* dcb,
const char* user,
uint8_t* token,
size_t token_len,
uint8_t* scramble,
size_t scramble_len,
uint8_t* output_token,
size_t output_token_len)
{
MYSQL_session *client_data = (MYSQL_session *)dcb->data;
MYSQL_session* client_data = (MYSQL_session*)dcb->data;
MYSQL_session temp;
int rval = 1;
@ -673,7 +695,7 @@ int mysql_auth_reauthenticate(DCB *dcb, const char *user,
temp.auth_token = token;
temp.auth_token_len = token_len;
MYSQL_AUTH *instance = (MYSQL_AUTH*)dcb->listener->auth_instance;
MYSQL_AUTH* instance = (MYSQL_AUTH*)dcb->listener->auth_instance;
int rc = validate_mysql_user(instance, dcb, &temp, scramble, scramble_len);
if (rc != MXS_AUTH_SUCCEEDED && service_refresh_users(dcb->service) == 0)
@ -688,24 +710,26 @@ int mysql_auth_reauthenticate(DCB *dcb, const char *user,
}
return rval;
}
int diag_cb(void *data, int columns, char **row, char **field_names)
int diag_cb(void* data, int columns, char** row, char** field_names)
{
DCB *dcb = (DCB*)data;
DCB* dcb = (DCB*)data;
dcb_printf(dcb, "%s@%s ", row[0], row[1]);
return 0;
}
void mysql_auth_diagnostic(DCB *dcb, SERV_LISTENER *port)
void mysql_auth_diagnostic(DCB* dcb, SERV_LISTENER* port)
{
MYSQL_AUTH *instance = (MYSQL_AUTH*)port->auth_instance;
MYSQL_AUTH* instance = (MYSQL_AUTH*)port->auth_instance;
sqlite3* handle = get_handle(instance);
char *err;
char* err;
if (sqlite3_exec(handle, "SELECT user, host FROM " MYSQLAUTH_USERS_TABLE_NAME,
diag_cb, dcb, &err) != SQLITE_OK)
if (sqlite3_exec(handle,
"SELECT user, host FROM " MYSQLAUTH_USERS_TABLE_NAME,
diag_cb,
dcb,
&err) != SQLITE_OK)
{
dcb_printf(dcb, "Could not access users: %s", err);
MXS_ERROR("Could not access users: %s", err);
@ -713,7 +737,7 @@ void mysql_auth_diagnostic(DCB *dcb, SERV_LISTENER *port)
}
}
int diag_cb_json(void *data, int columns, char **row, char **field_names)
int diag_cb_json(void* data, int columns, char** row, char** field_names)
{
json_t* obj = json_object();
json_object_set_new(obj, "user", json_string(row[0]));
@ -724,16 +748,19 @@ int diag_cb_json(void *data, int columns, char **row, char **field_names)
return 0;
}
json_t* mysql_auth_diagnostic_json(const SERV_LISTENER *port)
json_t* mysql_auth_diagnostic_json(const SERV_LISTENER* port)
{
json_t* rval = json_array();
MYSQL_AUTH *instance = (MYSQL_AUTH*)port->auth_instance;
char *err;
MYSQL_AUTH* instance = (MYSQL_AUTH*)port->auth_instance;
char* err;
sqlite3* handle = get_handle(instance);
if (sqlite3_exec(handle, "SELECT user, host FROM " MYSQLAUTH_USERS_TABLE_NAME,
diag_cb_json, rval, &err) != SQLITE_OK)
if (sqlite3_exec(handle,
"SELECT user, host FROM " MYSQLAUTH_USERS_TABLE_NAME,
diag_cb_json,
rval,
&err) != SQLITE_OK)
{
MXS_ERROR("Failed to print users: %s", err);
sqlite3_free(err);

107
server/modules/authenticator/MySQLAuth/mysql_auth.h
View File

@ -10,7 +10,7 @@
* of this software will be governed by version 2 or later of the General
* Public License.
*/
#pragma once
#pragma once
/*
* @verbatim
@ -43,44 +43,44 @@ static const char DBUSERS_DIR[] = "cache";
static const char DBUSERS_FILE[] = "dbusers.db";
/** The table name where we store the users */
#define MYSQLAUTH_USERS_TABLE_NAME "mysqlauth_users"
#define MYSQLAUTH_USERS_TABLE_NAME "mysqlauth_users"
/** The table name where we store the users */
#define MYSQLAUTH_DATABASES_TABLE_NAME "mysqlauth_databases"
#define MYSQLAUTH_DATABASES_TABLE_NAME "mysqlauth_databases"
/** CREATE TABLE statement for the in-memory users table */
static const char users_create_sql[] =
"CREATE TABLE IF NOT EXISTS " MYSQLAUTH_USERS_TABLE_NAME
"(user varchar(255), host varchar(255), db varchar(255), anydb boolean, password text)";
static const char users_create_sql[]
= "CREATE TABLE IF NOT EXISTS " MYSQLAUTH_USERS_TABLE_NAME
"(user varchar(255), host varchar(255), db varchar(255), anydb boolean, password text)";
/** CREATE TABLE statement for the in-memory databases table */
static const char databases_create_sql[] =
"CREATE TABLE IF NOT EXISTS " MYSQLAUTH_DATABASES_TABLE_NAME "(db varchar(255))";
static const char databases_create_sql[]
= "CREATE TABLE IF NOT EXISTS " MYSQLAUTH_DATABASES_TABLE_NAME "(db varchar(255))";
/** PRAGMA configuration options for SQLite */
static const char pragma_sql[] = "PRAGMA JOURNAL_MODE=NONE";
/** Query that checks if there's a grant for the user being authenticated */
static const char mysqlauth_validate_user_query[] =
"SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME
" WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)"
" LIMIT 1";
static const char mysqlauth_validate_user_query[]
= "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME
" WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)"
" LIMIT 1";
/** Query that checks if there's a grant for the user being authenticated */
static const char mysqlauth_validate_user_query_lower[] =
"SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME
" WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR LOWER('%s') LIKE LOWER(db))"
" LIMIT 1";
static const char mysqlauth_validate_user_query_lower[]
= "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME
" WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR LOWER('%s') LIKE LOWER(db))"
" LIMIT 1";
/** Query that only checks if there's a matching user */
static const char mysqlauth_skip_auth_query[] =
"SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME
" WHERE user = '%s' AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)"
" LIMIT 1";
static const char mysqlauth_skip_auth_query[]
= "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME
" WHERE user = '%s' AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)"
" LIMIT 1";
/** Query that checks that the database exists */
static const char mysqlauth_validate_database_query[] =
"SELECT * FROM " MYSQLAUTH_DATABASES_TABLE_NAME " WHERE db = '%s' LIMIT 1";
static const char mysqlauth_validate_database_query[]
= "SELECT * FROM " MYSQLAUTH_DATABASES_TABLE_NAME " WHERE db = '%s' LIMIT 1";
/** Delete query used to clean up the database before loading new users */
static const char delete_users_query[] = "DELETE FROM " MYSQLAUTH_USERS_TABLE_NAME;
@ -89,35 +89,35 @@ static const char delete_users_query[] = "DELETE FROM " MYSQLAUTH_USERS_TABLE_NA
static const char delete_databases_query[] = "DELETE FROM " MYSQLAUTH_DATABASES_TABLE_NAME;
/** The insert query template which adds users to the mysqlauth_users table */
static const char insert_user_query[] =
"INSERT OR REPLACE INTO " MYSQLAUTH_USERS_TABLE_NAME " VALUES ('%s', '%s', %s, %s, %s)";
static const char insert_user_query[]
= "INSERT OR REPLACE INTO " MYSQLAUTH_USERS_TABLE_NAME " VALUES ('%s', '%s', %s, %s, %s)";
/** The insert query template which adds the databases to the table */
static const char insert_database_query[] =
"INSERT OR REPLACE INTO " MYSQLAUTH_DATABASES_TABLE_NAME " VALUES ('%s')";
static const char insert_database_query[]
= "INSERT OR REPLACE INTO " MYSQLAUTH_DATABASES_TABLE_NAME " VALUES ('%s')";
static const char dump_users_query[] =
"SELECT user, host, db, anydb, password FROM " MYSQLAUTH_USERS_TABLE_NAME;
static const char dump_users_query[]
= "SELECT user, host, db, anydb, password FROM " MYSQLAUTH_USERS_TABLE_NAME;
static const char dump_databases_query[] =
"SELECT db FROM " MYSQLAUTH_DATABASES_TABLE_NAME;
static const char dump_databases_query[]
= "SELECT db FROM " MYSQLAUTH_DATABASES_TABLE_NAME;
/** Used for NULL value creation in the INSERT query */
static const char null_token[] = "NULL";
/** Flags for sqlite3_open_v2() */
static int db_flags = SQLITE_OPEN_READWRITE |
SQLITE_OPEN_CREATE |
SQLITE_OPEN_NOMUTEX;
static int db_flags = SQLITE_OPEN_READWRITE
| SQLITE_OPEN_CREATE
| SQLITE_OPEN_NOMUTEX;
typedef struct mysql_auth
{
sqlite3 **handles; /**< SQLite3 database handle */
char *cache_dir; /**< Custom cache directory location */
bool inject_service_user; /**< Inject the service user into the list of users */
bool skip_auth; /**< Authentication will always be successful */
bool check_permissions;
bool lower_case_table_names; /**< Disable database case-sensitivity */
sqlite3** handles; /**< SQLite3 database handle */
char* cache_dir; /**< Custom cache directory location */
bool inject_service_user; /**< Inject the service user into the list of users */
bool skip_auth; /**< Authentication will always be successful */
bool check_permissions;
bool lower_case_table_names; /**< Disable database case-sensitivity */
} MYSQL_AUTH;
/**
@ -125,11 +125,11 @@ typedef struct mysql_auth
*/
typedef struct mysql_user_host_key
{
char *user;
char* user;
struct sockaddr_in ipv4;
int netmask;
char *resource;
char hostname[MYSQL_HOST_MAXLEN + 1];
int netmask;
char* resource;
char hostname[MYSQL_HOST_MAXLEN + 1];
} MYSQL_USER_HOST;
/**
@ -150,8 +150,12 @@ sqlite3* get_handle(MYSQL_AUTH* instance);
* @param db Database
* @param anydb Global access to databases
*/
void add_mysql_user(sqlite3 *handle, const char *user, const char *host,
const char *db, bool anydb, const char *pw);
void add_mysql_user(sqlite3* handle,
const char* user,
const char* host,
const char* db,
bool anydb,
const char* pw);
/**
* @brief Check if the service user has all required permissions to operate properly.
@ -174,7 +178,7 @@ bool check_service_permissions(SERVICE* service);
*
* @return True on success
*/
bool dbusers_load(sqlite3 *handle, const char *filename);
bool dbusers_load(sqlite3* handle, const char* filename);
/**
* Save users to persisted database
@ -183,7 +187,7 @@ bool dbusers_load(sqlite3 *handle, const char *filename);
*
* @return True on success
*/
bool dbusers_save(sqlite3 *src, const char *filename);
bool dbusers_save(sqlite3* src, const char* filename);
/**
* Reload and replace the currently loaded database users
@ -193,7 +197,7 @@ bool dbusers_save(sqlite3 *src, const char *filename);
*
* @return -1 on any error or the number of users inserted (0 means no users at all)
*/
int replace_mysql_users(SERV_LISTENER *listener, bool skip_local);
int replace_mysql_users(SERV_LISTENER* listener, bool skip_local);
/**
* @brief Verify the user has access to the database
@ -206,7 +210,10 @@ int replace_mysql_users(SERV_LISTENER *listener, bool skip_local);
*
* @return MXS_AUTH_SUCCEEDED if the user has access to the database
*/
int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session,
uint8_t *scramble, size_t scramble_len);
int validate_mysql_user(MYSQL_AUTH* instance,
DCB* dcb,
MYSQL_session* session,
uint8_t* scramble,
size_t scramble_len);
MXS_END_DECLS