Commit 4b31e6dc authored by Vladislav Vaintroub's avatar Vladislav Vaintroub

Address review comments, add unit test

parent c1bf5ba2
INSTALL SONAME 'auth_named_pipe';
CREATE USER USERNAME IDENTIFIED WITH named_pipe;
SELECT USER(),CURRENT_USER();
USER() CURRENT_USER()
USERNAME@localhost USERNAME@%
DROP USER USERNAME;
CREATE USER nosuchuser IDENTIFIED WITH named_pipe;
ERROR 28000: Access denied for user 'nosuchuser'@'localhost'
DROP USER nosuchuser;
UNINSTALL SONAME 'auth_named_pipe';
--source include/windows.inc
INSTALL SONAME 'auth_named_pipe';
--replace_result $USERNAME USERNAME
eval CREATE USER $USERNAME IDENTIFIED WITH named_pipe;
# Connect using named pipe, correct username
connect(pipe_con,localhost,$USERNAME,,,,,PIPE);
--replace_result $USERNAME USERNAME
SELECT USER(),CURRENT_USER();
disconnect pipe_con;
connection default;
--replace_result $USERNAME USERNAME
eval DROP USER $USERNAME;
# test invalid user name
CREATE USER nosuchuser IDENTIFIED WITH named_pipe;
--disable_query_log
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
connect(pipe_con,localhost,nosuchuser,,,,,PIPE);
--enable_query_log
DROP USER nosuchuser;
UNINSTALL SONAME 'auth_named_pipe';
\ No newline at end of file
# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 of the
# License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
IF(WIN32) IF(WIN32)
MYSQL_ADD_PLUGIN(auth_pipe auth_pipe.c MODULE_ONLY) MYSQL_ADD_PLUGIN(auth_named_pipe auth_pipe.c)
ENDIF() ENDIF()
...@@ -17,44 +17,27 @@ ...@@ -17,44 +17,27 @@
/** /**
@file @file
auth_pipd authentication plugin. auth_pipe authentication plugin.
Authentication is successful if the connection is done via a named pip and Authentication is successful if the connection is done via a named pipe
the owner of the client process matches the user name that was used when pipe peer name matches mysql user name
connecting to mysqld.
*/ */
#include <mysql/plugin_auth.h> #include <mysql/plugin_auth.h>
#include <string.h> #include <string.h>
#include <lmcons.h> #include <lmcons.h>
/** /**
perform the named pipe´based authentication This authentication callback obtains user name using named pipe impersonation
This authentication callback performs a named pipe based authentication -
it gets the uid of the client process and considers the user authenticated
if it uses username of this uid. That is - if the user is already
authenticated to the OS (if she is logged in) - she can use MySQL as herself
*/ */
static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
{ {
unsigned char *pkt; unsigned char *pkt;
PTOKEN_USER pTokenUser= NULL;
HANDLE hToken;
MYSQL_PLUGIN_VIO_INFO vio_info; MYSQL_PLUGIN_VIO_INFO vio_info;
DWORD dLength= 0; char username[UNLEN + 1];
int Ret= CR_ERROR; size_t username_length;
TCHAR username[UNLEN + 1]; int ret;
DWORD username_length= UNLEN + 1;
char domainname[DNLEN + 1];
DWORD domainsize=DNLEN + 1;
SID_NAME_USE sidnameuse;
/* no user name yet ? read the client handshake packet with the user name */ /* no user name yet ? read the client handshake packet with the user name */
if (info->user_name == 0) if (info->user_name == 0)
...@@ -62,41 +45,26 @@ static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) ...@@ -62,41 +45,26 @@ static int pipe_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
if (vio->read_packet(vio, &pkt) < 0) if (vio->read_packet(vio, &pkt) < 0)
return CR_ERROR; return CR_ERROR;
} }
info->password_used= PASSWORD_USED_NO_MENTION; info->password_used= PASSWORD_USED_NO_MENTION;
vio->info(vio, &vio_info); vio->info(vio, &vio_info);
if (vio_info.protocol != MYSQL_VIO_PIPE) if (vio_info.protocol != MYSQL_VIO_PIPE)
return CR_ERROR; return CR_ERROR;
/* get the UID of the client process */ /* Impersonate the named pipe peer, and retrieve the user name */
if (!ImpersonateNamedPipeClient(vio_info.handle)) if (!ImpersonateNamedPipeClient(vio_info.handle))
return CR_ERROR; return CR_ERROR;
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken))
goto end;
/* determine length of TokenUser */
GetTokenInformation(hToken, TokenUser, NULL, 0, &dLength);
if (!dLength)
goto end;
if (!(pTokenUser= (PTOKEN_USER)LocalAlloc(0, dLength)))
goto end;
if (!GetTokenInformation(hToken, TokenUser, (PVOID)pTokenUser, dLength, &dLength))
goto end;
if (!LookupAccountSid(NULL, pTokenUser->User.Sid, username, &username_length, domainname, &domainsize, &sidnameuse))
goto end;
Ret= strcmp(username, info->user_name) ? CR_ERROR : CR_OK; username_length= sizeof(username) - 1;
end: ret= CR_ERROR;
if (pTokenUser) if (GetUserName(username, &username_length))
LocalFree(pTokenUser); {
/* Always compare names case-insensitive on Windows.*/
if (_stricmp(username, info->user_name) == 0)
ret= CR_OK;
}
RevertToSelf(); RevertToSelf();
/* now it's simple as that */
return Ret; return ret;
} }
static struct st_mysql_auth pipe_auth_handler= static struct st_mysql_auth pipe_auth_handler=
...@@ -106,11 +74,11 @@ static struct st_mysql_auth pipe_auth_handler= ...@@ -106,11 +74,11 @@ static struct st_mysql_auth pipe_auth_handler=
pipe_auth pipe_auth
}; };
maria_declare_plugin(socket_auth) maria_declare_plugin(auth_named_pipe)
{ {
MYSQL_AUTHENTICATION_PLUGIN, MYSQL_AUTHENTICATION_PLUGIN,
&pipe_auth_handler, &pipe_auth_handler,
"windows_pipe", "named_pipe",
"Vladislav Vaintroub, Georg Richter", "Vladislav Vaintroub, Georg Richter",
"Windows named pipe based authentication", "Windows named pipe based authentication",
PLUGIN_LICENSE_GPL, PLUGIN_LICENSE_GPL,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment