/** * Copyright (c) 2021 OceanBase * OceanBase CE is licensed under Mulan PubL v2. * You can use this software according to the terms and conditions of the Mulan PubL v2. * You may obtain a copy of Mulan PubL v2 at: * http://license.coscl.org.cn/MulanPubL-2.0 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. * See the Mulan PubL v2 for more details. */ #define USING_LOG_PREFIX SQL_RESV #include "sql/resolver/dcl/ob_create_user_resolver.h" #include "sql/resolver/ddl/ob_database_resolver.h" #include "sql/resolver/dcl/ob_set_password_resolver.h" #include "sql/session/ob_sql_session_info.h" #include "sql/parser/ob_item_type.h" using namespace oceanbase::sql; using namespace oceanbase::common; using namespace oceanbase::share; using namespace oceanbase::share::schema; ObCreateUserResolver::ObCreateUserResolver(ObResolverParams& params) : ObDCLResolver(params) {} ObCreateUserResolver::~ObCreateUserResolver() {} int ObCreateUserResolver::resolve(const ParseNode& parse_tree) { int ret = OB_SUCCESS; ObCreateUserStmt* create_user_stmt = NULL; if (OB_UNLIKELY(share::is_oracle_mode() && 5 != parse_tree.num_child_) || OB_UNLIKELY(share::is_mysql_mode() && 4 != parse_tree.num_child_) || OB_UNLIKELY(T_CREATE_USER != parse_tree.type_)) { ret = OB_INVALID_ARGUMENT; LOG_WARN("expect 4 child in mysql mode and 5 child in oracle mode, create user type", "actual_num", parse_tree.num_child_, "type", parse_tree.type_, K(ret)); } else if (OB_ISNULL(params_.session_info_) || OB_ISNULL(schema_checker_)) { ret = OB_NOT_INIT; LOG_WARN("Session info or schema checker should not be NULL", K(ret)); } else if (OB_ISNULL(create_user_stmt = create_stmt())) { ret = OB_ALLOCATE_MEMORY_FAILED; LOG_ERROR("Failed to create ObCreateUserStmt", K(ret)); } else { stmt_ = create_user_stmt; ParseNode* if_not_exist = const_cast(parse_tree.children_[0]); ParseNode* users = const_cast(parse_tree.children_[1]); ParseNode* require_info = const_cast(parse_tree.children_[2]); ParseNode* resource_options = !share::is_oracle_mode() ? const_cast(parse_tree.children_[3]) : NULL; ParseNode* profile = share::is_oracle_mode() ? const_cast(parse_tree.children_[3]) : NULL; ParseNode* primary_zone = share::is_oracle_mode() ? const_cast(parse_tree.children_[4]) : NULL; ParseNode* ssl_infos = NULL; create_user_stmt->set_tenant_id(params_.session_info_->get_effective_tenant_id()); // resolve if_not_exists if (OB_SUCC(ret)) { if (NULL != if_not_exist) { if (T_IF_NOT_EXISTS != if_not_exist->type_) { ret = OB_INVALID_ARGUMENT; LOG_WARN("invalid argument", K(if_not_exist->type_), K(ret)); } else { create_user_stmt->set_if_not_exists(true); } } } // resolve users' specs if (OB_FAIL(ret)) { // bypass } else if (OB_ISNULL(users) || OB_UNLIKELY(T_USERS != users->type_) || OB_UNLIKELY(users->num_child_ <= 0)) { ret = OB_INVALID_ARGUMENT; LOG_WARN("Create user ParseNode error", K(ret)); } else { for (int i = 0; i < users->num_child_ && OB_SUCCESS == ret; ++i) { ParseNode* user_pass = users->children_[i]; if (OB_ISNULL(user_pass)) { ret = OB_ERR_PARSE_SQL; LOG_WARN("The child of parseNode should not be NULL", K(ret), K(i)); } else if (4 != user_pass->num_child_) { ret = OB_ERR_PARSE_SQL; LOG_WARN("sql_parser parse user_identification error", K(ret)); } else if (OB_ISNULL(user_pass->children_[0])) { ret = OB_INVALID_ARGUMENT; LOG_WARN("Child 0 of user_pass should not be NULL", K(ret)); } else { ObString user_name(user_pass->children_[0]->str_len_, user_pass->children_[0]->str_value_); ObString host_name; ObCollationType client_cs_type = session_info_->get_local_collation_connection(); if (user_pass->children_[0]->type_ != T_IDENT && OB_FAIL(ObSQLUtils::copy_and_convert_string_charset( *allocator_, user_name, user_name, client_cs_type, CS_TYPE_UTF8MB4_BIN))) { LOG_WARN( "fail to convert user name to utf8", K(ret), K(user_name), KPHEX(user_name.ptr(), user_name.length())); } else if (!session_info_->is_inner() && (0 == user_name.case_compare(OB_RESTORE_USER_NAME))) { ret = OB_ERR_NO_PRIVILEGE; LOG_WARN("__oceanbase_inner_restore_user is reserved", K(ret)); } else if (NULL == user_pass->children_[3]) { host_name.assign_ptr(OB_DEFAULT_HOST_NAME, static_cast(STRLEN(OB_DEFAULT_HOST_NAME))); } else { host_name.assign_ptr( user_pass->children_[3]->str_value_, static_cast(user_pass->children_[3]->str_len_)); } ObString password; ObString need_enc_str = ObString::make_string("NO"); if (user_name.empty()) { ret = OB_CANNOT_USER; LOG_WARN("user name is empty", K(ret)); ObString create_user = ObString::make_string("CREATE USER"); LOG_USER_ERROR( OB_CANNOT_USER, create_user.length(), create_user.ptr(), host_name.length(), host_name.ptr()); } else if (OB_ISNULL(user_pass->children_[1])) { password = ObString::make_string(""); // no enc } else if (OB_ISNULL(user_pass->children_[2])) { ret = OB_ERR_PARSE_SQL; LOG_WARN("Child 2 of user_pass should not be NULL here", K(ret)); } else { password.assign_ptr( user_pass->children_[1]->str_value_, static_cast(user_pass->children_[1]->str_len_)); bool need_enc = (1 == user_pass->children_[2]->value_); if (need_enc) { need_enc_str = ObString::make_string("YES"); } else { // no enc if (!ObSetPasswordResolver::is_valid_mysql41_passwd(password)) { ret = OB_ERR_PASSWORD_FORMAT; LOG_WARN("Wrong password format", K(user_name), K(password), K(ret)); } } } uint64_t profile_id = OB_INVALID_ID; if (OB_SUCC(ret) && NULL != profile) { ParseNode* profile_name = nullptr; if (OB_UNLIKELY(profile->type_ != T_USER_PROFILE) || OB_UNLIKELY(profile->num_child_ != 1)) { ret = OB_ERR_UNEXPECTED; LOG_WARN("invalid type", K(ret), K(profile->type_), K(profile->num_child_)); } else if (OB_ISNULL(profile_name = profile->children_[0])) { ret = OB_ERR_UNEXPECTED; LOG_WARN("invalid profile name", K(ret)); } else if (profile_name->type_ == T_DEFAULT) { profile_id = OB_INVALID_ID; } else if (OB_FAIL(schema_checker_->get_profile_id(params_.session_info_->get_effective_tenant_id(), ObString(profile_name->str_len_, profile_name->str_value_), profile_id))) { LOG_WARN("fail to get profile id", K(ret)); } } create_user_stmt->set_profile_id(profile_id); // profile id is valid only in oracle mode if (OB_SUCC(ret)) { if (!share::is_oracle_mode() && OB_FAIL(check_password_strength(password, user_name))) { LOG_WARN("password don't satisfied current policy", K(ret)); } else if (share::is_oracle_mode() && OB_FAIL(check_oracle_password_strength( params_.session_info_->get_effective_tenant_id(), profile_id, password, user_name))) { LOG_WARN("fail to check password strength", K(ret)); } } if (OB_SUCC(ret)) { if (user_name.length() > OB_MAX_USER_NAME_LENGTH) { ret = OB_WRONG_USER_NAME_LENGTH; LOG_USER_ERROR(OB_WRONG_USER_NAME_LENGTH, user_name.length(), user_name.ptr()); } else if (OB_FAIL(create_user_stmt->add_user(user_name, host_name, password, need_enc_str))) { LOG_WARN("Failed to add user to ObCreateUserStmt", K(user_name), K(host_name), K(password), K(ret)); } else { // do nothing } } } } // end of for } ObSSLType ssl_type = ObSSLType::SSL_TYPE_NOT_SPECIFIED; ObString infos[static_cast(ObSSLSpecifiedType::SSL_SPEC_TYPE_MAX)] = {}; // resolve users' specs if (OB_FAIL(ret)) { // bypass } else if (NULL == require_info) { // bypass } else if (OB_UNLIKELY(T_TLS_OPTIONS != require_info->type_) || OB_UNLIKELY(require_info->num_child_ != 1) || OB_ISNULL(ssl_infos = require_info->children_[0])) { ret = OB_INVALID_ARGUMENT; LOG_WARN( "Create user ParseNode error", K(ret), K(require_info->type_), K(require_info->num_child_), KP(ssl_infos)); } else if (OB_UNLIKELY(ssl_infos->type_ < T_TLS_NONE && ssl_infos->type_ > T_TLS_SPECIFIED)) { ret = OB_INVALID_ARGUMENT; LOG_WARN("Create user ParseNode error", K(ret), K(ssl_infos->type_)); } else { ssl_type = static_cast(static_cast(ObSSLType::SSL_TYPE_NONE) + (ssl_infos->type_ - T_TLS_NONE)); if (ObSSLType::SSL_TYPE_SPECIFIED == ssl_type) { ParseNode* specified_ssl_infos = NULL; if (OB_UNLIKELY(ssl_infos->num_child_ != 1) || OB_ISNULL(specified_ssl_infos = ssl_infos->children_[0])) { ret = OB_INVALID_ARGUMENT; LOG_WARN("Create user ParseNode error", K(ret), K(ssl_infos->num_child_), KP(specified_ssl_infos)); } else { bool check_repeat[static_cast(ObSSLSpecifiedType::SSL_SPEC_TYPE_MAX)] = {}; for (int i = 0; i < specified_ssl_infos->num_child_ && OB_SUCC(ret); ++i) { ParseNode* ssl_info = specified_ssl_infos->children_[i]; if (OB_ISNULL(ssl_info)) { ret = OB_ERR_PARSE_SQL; LOG_WARN("The child of parseNode should not be NULL", K(ret), K(i)); } else if (OB_UNLIKELY(ssl_info->num_child_ != 1)) { ret = OB_ERR_PARSE_SQL; LOG_WARN("The num_child_is error", K(ret), K(i), K(ssl_info->num_child_)); } else if (OB_UNLIKELY(check_repeat[ssl_info->type_ - T_TLS_CIPHER])) { ret = OB_ERR_DUP_ARGUMENT; LOG_WARN("Option used twice in statement", K(ret), K(ssl_info->type_)); LOG_USER_ERROR(OB_ERR_DUP_ARGUMENT, get_ssl_spec_type_str(static_cast(ssl_info->type_ - T_TLS_CIPHER))); } else { check_repeat[ssl_info->type_ - T_TLS_CIPHER] = true; infos[ssl_info->type_ - T_TLS_CIPHER].assign_ptr( ssl_info->children_[0]->str_value_, ssl_info->children_[0]->str_len_); } } } } } if (OB_SUCC(ret) && OB_NOT_NULL(primary_zone)) { if (T_PRIMARY_ZONE != primary_zone->type_ || NULL == primary_zone->children_ || primary_zone->num_child_ != 1) { ret = common::OB_INVALID_ARGUMENT; LOG_WARN("invalid primary_zone argument", K(ret), "num_child", primary_zone->num_child_); } else if (OB_FAIL(ObDatabaseResolver::resolve_primary_zone( create_user_stmt, primary_zone->children_[0]))) { LOG_WARN("fail to resolve primary zone", K(ret)); } } if (OB_SUCC(ret)) { if (OB_FAIL(create_user_stmt->add_ssl_info(get_ssl_type_string(ssl_type), infos[static_cast(ObSSLSpecifiedType::SSL_SPEC_TYPE_CIPHER)], infos[static_cast(ObSSLSpecifiedType::SSL_SPEC_TYPE_ISSUER)], infos[static_cast(ObSSLSpecifiedType::SSL_SPEC_TYPE_SUBJECT)]))) { LOG_WARN("Failed to add_ssl_info", K(ssl_type), "CIPHER", infos[static_cast(ObSSLSpecifiedType::SSL_SPEC_TYPE_CIPHER)], "ISSUER", infos[static_cast(ObSSLSpecifiedType::SSL_SPEC_TYPE_ISSUER)], "SUBJECT", infos[static_cast(ObSSLSpecifiedType::SSL_SPEC_TYPE_SUBJECT)], K(ret)); } } if (OB_SUCC(ret) && NULL != resource_options) { if (T_USER_RESOURCE_OPTIONS != resource_options->type_ || OB_ISNULL(resource_options->children_)) { ret = common::OB_INVALID_ARGUMENT; LOG_WARN( "invalid resource options argument", K(ret), K(resource_options->type_), K(resource_options->children_)); } else { for (int64_t i = 0; i < resource_options->num_child_; i++) { ParseNode* res_option = resource_options->children_[i]; if (OB_ISNULL(res_option)) { ret = common::OB_INVALID_ARGUMENT; LOG_WARN("null res option", K(ret), K(i)); } else if (T_MAX_CONNECTIONS_PER_HOUR == res_option->type_) { uint64_t max_connections_per_hour = static_cast(res_option->value_); max_connections_per_hour = max_connections_per_hour > MAX_CONNECTIONS ? MAX_CONNECTIONS : max_connections_per_hour; create_user_stmt->set_max_connections_per_hour(max_connections_per_hour); } else if (T_MAX_USER_CONNECTIONS == res_option->type_) { uint64_t max_user_connections = static_cast(res_option->value_); max_user_connections = max_user_connections > MAX_CONNECTIONS ? MAX_CONNECTIONS : max_user_connections; create_user_stmt->set_max_user_connections(max_user_connections); } } } } if (OB_SUCC(ret) && ObSchemaChecker::is_ora_priv_check()) { OZ(schema_checker_->check_ora_ddl_priv(session_info_->get_effective_tenant_id(), session_info_->get_priv_user_id(), ObString(""), stmt::T_CREATE_USER, session_info_->get_enable_role_array()), session_info_->get_effective_tenant_id(), session_info_->get_user_id()); } } return ret; }