Commit 102a7a2a authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-4307 Support at least 48 utf8 characters in username in server and PAM

Extend plugin auth api to support up to 512 bytes in the user names.
Use the API versioning to support old auth plugins too!
parent 1d46ee77
...@@ -27,7 +27,7 @@ ...@@ -27,7 +27,7 @@
#include <mysql/plugin.h> #include <mysql/plugin.h>
#define MYSQL_AUTHENTICATION_INTERFACE_VERSION 0x0100 #define MYSQL_AUTHENTICATION_INTERFACE_VERSION 0x0200
#include <mysql/plugin_auth_common.h> #include <mysql/plugin_auth_common.h>
...@@ -78,7 +78,7 @@ typedef struct st_mysql_server_auth_info ...@@ -78,7 +78,7 @@ typedef struct st_mysql_server_auth_info
Not used by the server. Not used by the server.
Available through the @@EXTERNAL_USER variable. Available through the @@EXTERNAL_USER variable.
*/ */
char external_user[512]; char external_user[MYSQL_USERNAME_LENGTH+1];
/** /**
This only affects the "Authentication failed. Password used: %s" This only affects the "Authentication failed. Password used: %s"
......
...@@ -266,8 +266,8 @@ typedef struct st_mysql_server_auth_info ...@@ -266,8 +266,8 @@ typedef struct st_mysql_server_auth_info
unsigned int user_name_length; unsigned int user_name_length;
const char *auth_string; const char *auth_string;
unsigned long auth_string_length; unsigned long auth_string_length;
char authenticated_as[48 +1]; char authenticated_as[512 +1];
char external_user[512]; char external_user[512 +1];
int password_used; int password_used;
const char *host_or_ip; const char *host_or_ip;
unsigned int host_or_ip_length; unsigned int host_or_ip_length;
......
...@@ -28,7 +28,7 @@ ...@@ -28,7 +28,7 @@
#define MYSQL_PLUGIN_AUTH_COMMON_INCLUDED #define MYSQL_PLUGIN_AUTH_COMMON_INCLUDED
/** the max allowed length for a user name */ /** the max allowed length for a user name */
#define MYSQL_USERNAME_LENGTH 48 #define MYSQL_USERNAME_LENGTH 512
/** /**
return values of the plugin authenticate_user() method. return values of the plugin authenticate_user() method.
......
install soname 'auth_0x0100';
select plugin_name, plugin_type_version from information_schema.plugins where plugin_type='authentication' order by plugin_name;
plugin_name plugin_type_version
auth_0x0100 1.0
mysql_native_password 2.0
mysql_old_password 2.0
create user tt identified via auth_0x0100;
grant select on test.* to zzzzzzzzzzzzzzzz;
connect(localhost,tt,,test,MASTER_MYPORT,MASTER_MYSOCK);
ERROR 28000: Access denied for user 'tt'@'localhost' (using password: YES)
grant proxy on zzzzzzzzzzzzzzzz to tt;
select user(), current_user(), @@external_user;
user() tt@localhost
current_user() zzzzzzzzzzzzzzzz@%
@@external_user oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo.
drop user tt;
drop user zzzzzzzzzzzzzzzz;
uninstall plugin auth_0x0100;
--source include/not_embedded.inc
if (!$AUTH_0X0100_SO) {
skip No auth_0x0100 plugin;
}
install soname 'auth_0x0100';
select plugin_name, plugin_type_version from information_schema.plugins where plugin_type='authentication' order by plugin_name;
create user tt identified via auth_0x0100;
grant select on test.* to zzzzzzzzzzzzzzzz;
--replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT
--error ER_ACCESS_DENIED_ERROR
connect (c0,localhost,tt);
grant proxy on zzzzzzzzzzzzzzzz to tt;
connect (c1,localhost,tt);
connection c1;
--query_vertical select user(), current_user(), @@external_user
connection default;
drop user tt;
drop user zzzzzzzzzzzzzzzz;
uninstall plugin auth_0x0100;
...@@ -27,5 +27,7 @@ MYSQL_ADD_PLUGIN(qa_auth_server qa_auth_server.c ...@@ -27,5 +27,7 @@ MYSQL_ADD_PLUGIN(qa_auth_server qa_auth_server.c
MYSQL_ADD_PLUGIN(qa_auth_client qa_auth_client.c MYSQL_ADD_PLUGIN(qa_auth_client qa_auth_client.c
MODULE_ONLY COMPONENT Test) MODULE_ONLY COMPONENT Test)
MYSQL_ADD_PLUGIN(auth_0x0100 auth_0x0100.c MODULE_ONLY COMPONENT Test)
MYSQL_ADD_PLUGIN(mysql_clear_password clear_password_client.c MYSQL_ADD_PLUGIN(mysql_clear_password clear_password_client.c
MODULE_ONLY COMPONENT SharedLibraries) MODULE_ONLY COMPONENT SharedLibraries)
/* Copyright (C) 2013 Sergei Golubchik and Monty Program Ab
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; version 2 of the
License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
/**
@file
auth plugin that uses old structures as of
MYSQL_AUTHENTICATION_INTERFACE_VERSION 0x0100
To test the old version support.
It intentionally uses no constants like CR_OK ok PASSWORD_USED_YES.
*/
#include <mysql/plugin.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#if 0
#include <mysql/plugin_auth.h>
#else
#define MYSQL_AUTHENTICATION_INTERFACE_VERSION 0x0100
typedef void MYSQL_PLUGIN_VIO; /* we don't use it here */
typedef struct st_mysql_server_auth_info
{
char *user_name;
unsigned int user_name_length;
const char *auth_string;
unsigned long auth_string_length;
char authenticated_as[49];
char external_user[512];
int password_used;
const char *host_or_ip;
unsigned int host_or_ip_length;
} MYSQL_SERVER_AUTH_INFO;
struct st_mysql_auth
{
int interface_version;
const char *client_auth_plugin;
int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info);
};
#endif
static int do_auth_0x0100(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
{
info->password_used= 1;
strcpy(info->authenticated_as, "zzzzzzzzzzzzzzzz");
memset(info->external_user, 'o', 510);
info->external_user[510]='.';
info->external_user[511]=0;
return vio ? -1 : 0; /* use vio to avoid the 'unused' warning */
}
static struct st_mysql_auth auth_0x0100_struct=
{
MYSQL_AUTHENTICATION_INTERFACE_VERSION, 0, do_auth_0x0100
};
maria_declare_plugin(auth_0x0100)
{
MYSQL_AUTHENTICATION_PLUGIN,
&auth_0x0100_struct,
"auth_0x0100",
"Sergei Golubchik",
"Test for API 0x0100 support",
PLUGIN_LICENSE_GPL,
NULL,
NULL,
0x0100,
NULL,
NULL,
"1.0",
MariaDB_PLUGIN_MATURITY_EXPERIMENTAL,
}
maria_declare_plugin_end;
...@@ -2572,8 +2572,6 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, ...@@ -2572,8 +2572,6 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
mysql->server_version, mysql->server_capabilities, mysql->server_version, mysql->server_capabilities,
mysql->server_status, mysql->client_flag)); mysql->server_status, mysql->client_flag));
compile_time_assert(MYSQL_USERNAME_LENGTH == USERNAME_LENGTH);
/* This needs to be changed as it's not useful with big packets */ /* This needs to be changed as it's not useful with big packets */
if (mysql->user[0]) if (mysql->user[0])
strmake(end, mysql->user, USERNAME_LENGTH); strmake(end, mysql->user, USERNAME_LENGTH);
......
...@@ -52,6 +52,8 @@ ...@@ -52,6 +52,8 @@
#include "sql_db.h" #include "sql_db.h"
#include "sql_array.h" #include "sql_array.h"
#include "sql_plugin_compat.h"
bool mysql_user_table_is_in_short_password_format= false; bool mysql_user_table_is_in_short_password_format= false;
static const static const
...@@ -9027,7 +9029,20 @@ static int do_auth_once(THD *thd, const LEX_STRING *auth_plugin_name, ...@@ -9027,7 +9029,20 @@ static int do_auth_once(THD *thd, const LEX_STRING *auth_plugin_name,
if (plugin) if (plugin)
{ {
st_mysql_auth *auth= (st_mysql_auth *) plugin_decl(plugin)->info; st_mysql_auth *auth= (st_mysql_auth *) plugin_decl(plugin)->info;
switch (auth->interface_version) {
case 0x0200:
res= auth->authenticate_user(mpvio, &mpvio->auth_info); res= auth->authenticate_user(mpvio, &mpvio->auth_info);
break;
case 0x0100:
{
MYSQL_SERVER_AUTH_INFO_0x0100 compat;
compat.downgrade(&mpvio->auth_info);
res= auth->authenticate_user(mpvio, (MYSQL_SERVER_AUTH_INFO *)&compat);
compat.upgrade(&mpvio->auth_info);
}
break;
default: DBUG_ASSERT(0);
}
if (unlock_plugin) if (unlock_plugin)
plugin_unlock(thd, plugin); plugin_unlock(thd, plugin);
...@@ -9078,8 +9093,6 @@ bool acl_authenticate(THD *thd, uint connect_errors, ...@@ -9078,8 +9093,6 @@ bool acl_authenticate(THD *thd, uint connect_errors,
: COM_CONNECT; : COM_CONNECT;
DBUG_ENTER("acl_authenticate"); DBUG_ENTER("acl_authenticate");
compile_time_assert(MYSQL_USERNAME_LENGTH == USERNAME_LENGTH);
bzero(&mpvio, sizeof(mpvio)); bzero(&mpvio, sizeof(mpvio));
mpvio.read_packet= server_mpvio_read_packet; mpvio.read_packet= server_mpvio_read_packet;
mpvio.write_packet= server_mpvio_write_packet; mpvio.write_packet= server_mpvio_write_packet;
......
...@@ -35,6 +35,8 @@ ...@@ -35,6 +35,8 @@
#include <mysql/plugin_auth.h> #include <mysql/plugin_auth.h>
#include "lock.h" // MYSQL_LOCK_IGNORE_TIMEOUT #include "lock.h" // MYSQL_LOCK_IGNORE_TIMEOUT
#include <mysql/plugin_auth.h> #include <mysql/plugin_auth.h>
#include "sql_plugin_compat.h"
#define REPORT_TO_LOG 1 #define REPORT_TO_LOG 1
#define REPORT_TO_USER 2 #define REPORT_TO_USER 2
...@@ -135,7 +137,7 @@ static int min_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]= ...@@ -135,7 +137,7 @@ static int min_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]=
MYSQL_INFORMATION_SCHEMA_INTERFACE_VERSION, MYSQL_INFORMATION_SCHEMA_INTERFACE_VERSION,
MYSQL_AUDIT_INTERFACE_VERSION, MYSQL_AUDIT_INTERFACE_VERSION,
MYSQL_REPLICATION_INTERFACE_VERSION, MYSQL_REPLICATION_INTERFACE_VERSION,
MYSQL_AUTHENTICATION_INTERFACE_VERSION MIN_AUTHENTICATION_INTERFACE_VERSION
}; };
static int cur_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]= static int cur_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]=
{ {
......
/* Copyright (C) 2013 Sergei Golubchik and Monty Program Ab
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
/* old plugin api structures, used for backward compatibility */
#define upgrade_var(X) latest->X= X
#define upgrade_str(X) strmake(latest->X, X, sizeof(X))
#define downgrade_var(X) X= latest->X
#define downgrade_str(X) strmake(X, latest->X, sizeof(X)-1)
/**************************************************************/
/* Authentication API, version 0x0100 *************************/
#define MIN_AUTHENTICATION_INTERFACE_VERSION 0x0100
struct MYSQL_SERVER_AUTH_INFO_0x0100 {
char *user_name;
unsigned int user_name_length;
const char *auth_string;
unsigned long auth_string_length;
char authenticated_as[49];
char external_user[512];
int password_used;
const char *host_or_ip;
unsigned int host_or_ip_length;
void upgrade(MYSQL_SERVER_AUTH_INFO *latest)
{
upgrade_var(user_name);
upgrade_var(user_name_length);
upgrade_var(auth_string);
upgrade_var(auth_string_length);
upgrade_str(authenticated_as);
upgrade_str(external_user);
upgrade_var(password_used);
upgrade_var(host_or_ip);
upgrade_var(host_or_ip_length);
}
void downgrade(MYSQL_SERVER_AUTH_INFO *latest)
{
downgrade_var(user_name);
downgrade_var(user_name_length);
downgrade_var(auth_string);
downgrade_var(auth_string_length);
downgrade_str(authenticated_as);
downgrade_str(external_user);
downgrade_var(password_used);
downgrade_var(host_or_ip);
downgrade_var(host_or_ip_length);
}
};
/**************************************************************/
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment