205 lines
5.5 KiB
C++
205 lines
5.5 KiB
C++
/*
|
|
* Copyright (c) 2016 MariaDB Corporation Ab
|
|
*
|
|
* Use of this software is governed by the Business Source License included
|
|
* in the LICENSE.TXT file and at www.mariadb.com/bsl11.
|
|
*
|
|
* Change Date: 2024-11-16
|
|
*
|
|
* On the date above, in accordance with the Business Source License, use
|
|
* of this software will be governed by version 2 or later of the General
|
|
* Public License.
|
|
*/
|
|
|
|
/**
|
|
* @file mysql_backend_auth.c - MySQL backend authenticator
|
|
*
|
|
* Backend authentication module for the MySQL protocol. Implements the
|
|
* client side of the 'mysql_native_password' authentication plugin.
|
|
*
|
|
* The "heavy lifting" of the authentication is done by the protocol module so
|
|
* the only thing left for this module is to read the final OK packet from the
|
|
* server.
|
|
*/
|
|
|
|
#define MXS_MODULE_NAME "MariaDBBackendAuth"
|
|
|
|
#include <maxbase/alloc.h>
|
|
#include <maxscale/authenticator.hh>
|
|
#include <maxscale/protocol/mysql.hh>
|
|
#include <maxscale/server.hh>
|
|
#include <maxscale/utils.h>
|
|
|
|
/** Authentication states */
|
|
enum mba_state
|
|
{
|
|
MBA_NEED_OK, /**< Waiting for server's OK packet */
|
|
MBA_AUTH_OK, /**< Authentication completed successfully */
|
|
MBA_AUTH_FAILED /**< Authentication failed */
|
|
};
|
|
|
|
/** Structure representing the authentication state */
|
|
typedef struct mysql_backend_auth
|
|
{
|
|
enum mba_state state; /**< Authentication state */
|
|
} mysql_backend_auth_t;
|
|
|
|
/**
|
|
* @brief Allocate a new mysql_backend_auth object
|
|
* @return Allocated object or NULL if memory allocation failed
|
|
*/
|
|
void* auth_backend_create(void* instance)
|
|
{
|
|
mysql_backend_auth_t* mba = static_cast<mysql_backend_auth_t*>(MXS_MALLOC(sizeof(*mba)));
|
|
|
|
if (mba)
|
|
{
|
|
mba->state = MBA_NEED_OK;
|
|
}
|
|
|
|
return mba;
|
|
}
|
|
|
|
/**
|
|
* @brief Free allocated mysql_backend_auth object
|
|
* @param data Allocated mysql_backend_auth object
|
|
*/
|
|
void auth_backend_destroy(void* data)
|
|
{
|
|
if (data)
|
|
{
|
|
MXS_FREE(data);
|
|
}
|
|
}
|
|
/**
|
|
* @brief Extract backend response
|
|
*
|
|
* @param dcb Request handler DCB connected to the client
|
|
* @param buffer Buffer containing data from client
|
|
* @return True on success, false on error
|
|
* @see authenticator.h
|
|
*/
|
|
static bool auth_backend_extract(DCB* dcb, GWBUF* buf)
|
|
{
|
|
bool rval = false;
|
|
mysql_backend_auth_t* mba = (mysql_backend_auth_t*)dcb->authenticator_data;
|
|
|
|
switch (mba->state)
|
|
{
|
|
case MBA_NEED_OK:
|
|
if (mxs_mysql_is_ok_packet(buf))
|
|
{
|
|
rval = true;
|
|
mba->state = MBA_AUTH_OK;
|
|
}
|
|
else if (mxs_mysql_get_command(buf) == MYSQL_REPLY_AUTHSWITCHREQUEST
|
|
&& send_mysql_native_password_response(dcb, buf))
|
|
{
|
|
rval = true;
|
|
}
|
|
else
|
|
{
|
|
mba->state = MBA_AUTH_FAILED;
|
|
}
|
|
break;
|
|
|
|
default:
|
|
MXS_ERROR("Unexpected call to MySQLBackendAuth::extract");
|
|
mxb_assert(false);
|
|
break;
|
|
}
|
|
|
|
return rval;
|
|
}
|
|
|
|
/**
|
|
* @brief Authenticates as a MySQL user
|
|
*
|
|
* @param dcb Backend DCB
|
|
* @return Authentication status
|
|
* @see authenticator.h
|
|
*/
|
|
static int auth_backend_authenticate(DCB* dcb)
|
|
{
|
|
int rval = MXS_AUTH_FAILED;
|
|
mysql_backend_auth_t* mba = (mysql_backend_auth_t*)dcb->authenticator_data;
|
|
|
|
if (mba->state == MBA_AUTH_OK)
|
|
{
|
|
/** Authentication completed successfully */
|
|
rval = MXS_AUTH_SUCCEEDED;
|
|
}
|
|
else if (mba->state == MBA_NEED_OK)
|
|
{
|
|
/** Sent AuthSwitchRequest response */
|
|
rval = MXS_AUTH_INCOMPLETE;
|
|
}
|
|
|
|
return rval;
|
|
}
|
|
|
|
/**
|
|
* @brief Determine whether the client is SSL capable
|
|
*
|
|
* The authentication request from the client will indicate whether the client
|
|
* is expecting to make an SSL connection. The information has been extracted
|
|
* in the previous functions.
|
|
*
|
|
* @param dcb Request handler DCB connected to the client
|
|
* @return Boolean indicating whether client is SSL capable
|
|
*/
|
|
static bool auth_backend_ssl(DCB* dcb)
|
|
{
|
|
return dcb->server->ssl().context() != NULL;
|
|
}
|
|
|
|
extern "C"
|
|
{
|
|
/**
|
|
* The module entry point routine. It is this routine that
|
|
* must populate the structure that is referred to as the
|
|
* "module object", this is a structure with the set of
|
|
* external entry points for this module.
|
|
*
|
|
* @return The module object
|
|
*/
|
|
MXS_MODULE* MXS_CREATE_MODULE()
|
|
{
|
|
static MXS_AUTHENTICATOR MyObject =
|
|
{
|
|
NULL, /* No initialize entry point */
|
|
auth_backend_create, /* Create authenticator */
|
|
auth_backend_extract, /* Extract data into structure */
|
|
auth_backend_ssl, /* Check if client supports SSL */
|
|
auth_backend_authenticate, /* Authenticate user credentials */
|
|
NULL, /* The shared data is freed by the client DCB */
|
|
auth_backend_destroy, /* Destroy authenticator */
|
|
NULL, /* We don't need to load users */
|
|
NULL, /* No diagnostic */
|
|
NULL,
|
|
NULL /* No user reauthentication */
|
|
};
|
|
|
|
static MXS_MODULE info =
|
|
{
|
|
MXS_MODULE_API_AUTHENTICATOR,
|
|
MXS_MODULE_GA,
|
|
MXS_AUTHENTICATOR_VERSION,
|
|
"The MySQL MaxScale to backend server authenticator",
|
|
"V1.0.0",
|
|
MXS_NO_MODULE_CAPABILITIES,
|
|
&MyObject,
|
|
NULL, /* Process init. */
|
|
NULL, /* Process finish. */
|
|
NULL, /* Thread init. */
|
|
NULL, /* Thread finish. */
|
|
{
|
|
{MXS_END_MODULE_PARAMS}
|
|
}
|
|
};
|
|
|
|
return &info;
|
|
}
|
|
/*lint +e14 */
|
|
}
|