MDEV-19443 server_audit plugin doesn't log proxy users.

PROXY_USER event added.

MDEV-19443 server_audit plugin doesn't log proxy users.
PROXY_USER event added.
cc1646da · Alexey Botchkov · 21ea14db · cc1646da · cc1646da · cc1646da
Commit cc1646da authored Oct 22, 2020 by Alexey Botchkov
3 changed files
--- a/mysql-test/suite/plugins/r/server_audit.result
+++ b/mysql-test/suite/plugins/r/server_audit.result
@@ -227,6 +227,21 @@ set global server_audit_logging= on;
 disconnect cn1;
 drop user user1@localhost;
 set global server_audit_events='';
+CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
+CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
+connect(localhost,plug,plug_dest,test,MYSQL_PORT,MYSQL_SOCK);
+connect plug_con,localhost,plug,plug_dest;
+ERROR 28000: Access denied for user 'plug'@'localhost' (using password: YES)
+GRANT PROXY ON plug_dest TO plug;
+connect plug_con,localhost,plug,plug_dest;
+connection plug_con;
+select USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+plug@localhost	plug_dest@%
+connection default;
+disconnect plug_con;
+DROP USER plug;
+DROP USER plug_dest;
 set global server_audit_query_log_limit= 15;
 select (1), (2), (3), (4);
 1	2	3	4
@@ -404,6 +419,46 @@ TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER plug IDENTIFIED WITH \'test_plugin_server\' AS \'plug_dest\'',0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER plug_dest IDENTIFIED BY *****',0
+TIME,HOSTNAME,plug,localhost,ID,0,FAILED_CONNECT,,,ID
+TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,,,0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT PROXY ON plug_dest TO plug',0
+TIME,HOSTNAME,plug,localhost,ID,0,PROXY_CONNECT,test,`plug_dest`@`%`,0
+TIME,HOSTNAME,plug,localhost,ID,0,CONNECT,test,,0
+TIME,HOSTNAME,plug,localhost,ID,0,DISCONNECT,test,,0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'DROP USER plug',0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,user,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'DROP USER plug_dest',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select \'A\', ',0

--- a/mysql-test/suite/plugins/t/server_audit.test
+++ b/mysql-test/suite/plugins/t/server_audit.test
-
+--source include/have_plugin_auth.inc
 --source include/not_embedded.inc

 if (!$SERVER_AUDIT_SO) {
@@ -174,6 +174,25 @@ drop user user1@localhost;

 set global server_audit_events='';

+CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
+CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
+--sleep 2
+--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
+--error ER_ACCESS_DENIED_ERROR : this should fail : no grant
+connect(plug_con,localhost,plug,plug_dest);
+--sleep 2
+GRANT PROXY ON plug_dest TO plug;
+--sleep 2
+connect(plug_con,localhost,plug,plug_dest);
+connection plug_con;
+select USER(),CURRENT_USER();
+connection default;
+disconnect plug_con;
+--sleep 2
+--sleep 2
+DROP USER plug;
+DROP USER plug_dest;
+
 set global server_audit_query_log_limit= 15;
 select (1), (2), (3), (4);
 select 'A', 'B', 'C', 'D';

--- a/plugin/server_audit/server_audit.c
+++ b/plugin/server_audit/server_audit.c
@@ -15,7 +15,7 @@


 #define PLUGIN_VERSION 0x104
-#define PLUGIN_STR_VERSION "1.4.7"
+#define PLUGIN_STR_VERSION "1.4.9"

 #define _my_thread_var loc_thread_var

@@ -328,6 +328,10 @@ struct connection_info
  char query_buffer[1024];
  time_t query_time;
  int log_always;
+  char proxy[64];
+  int proxy_length;
+  char proxy_host[64];
+  int proxy_host_length;
 };

 #define DEFAULT_FILENAME_LEN 16
@@ -1128,9 +1132,13 @@ static void setup_connection_simple(struct connection_info *ci)
  ci->ip_length= 0;
  ci->query_length= 0;
  ci->header= 0;
+  ci->proxy_length= 0;
 }


+#define MAX_HOSTNAME 61
+#define USERNAME_LENGTH 384
+
 static void setup_connection_connect(struct connection_info *cn,
    const struct mysql_event_connection *event)
 {
@@ -1147,6 +1155,29 @@ static void setup_connection_connect(struct connection_info *cn,
  get_str_n(cn->ip, &cn->ip_length, sizeof(cn->ip),
            event->ip, event->ip_length);
  cn->header= 0;
+  if (event->proxy_user && event->proxy_user[0])
+  {
+    const char *priv_host= event->proxy_user +
+            sizeof(char[MAX_HOSTNAME+USERNAME_LENGTH+5]);
+    size_t priv_host_length;
+
+    if (mysql_57_started)
+    {
+      priv_host+= sizeof(size_t);
+      priv_host_length= *(size_t *) (priv_host + MAX_HOSTNAME);
+    }
+    else
+      priv_host_length= strlen(priv_host);
+
+
+    get_str_n(cn->proxy, &cn->proxy_length, sizeof(cn->proxy),
+              event->priv_user, event->priv_user_length);
+    get_str_n(cn->proxy_host, &cn->proxy_host_length,
+              sizeof(cn->proxy_host),
+              priv_host, priv_host_length);
+  }
+  else
+    cn->proxy_length= 0;
 }


@@ -1346,6 +1377,31 @@ static size_t log_header(char *message, size_t message_len,
 }


+static int log_proxy(const struct connection_info *cn,
+                     const struct mysql_event_connection *event)
+                   
+{
+  time_t ctime;
+  size_t csize;
+  char message[1024];
+
+  (void) time(&ctime);
+  csize= log_header(message, sizeof(message)-1, &ctime,
+                    servhost, servhost_len,
+                    cn->user, cn->user_length,
+                    cn->host, cn->host_length,
+                    cn->ip, cn->ip_length,
+                    event->thread_id, 0, "PROXY_CONNECT");
+  csize+= my_snprintf(message+csize, sizeof(message) - 1 - csize,
+    ",%.*s,`%.*s`@`%.*s`,%d", cn->db_length, cn->db,
+                     cn->proxy_length, cn->proxy,
+                     cn->proxy_host_length, cn->proxy_host,
+                     event->status);
+  message[csize]= '\n';
+  return write_log(message, csize + 1, 1);
+}
+
+
 static int log_connection(const struct connection_info *cn,
                          const struct mysql_event_connection *event,
                          const char *type)
@@ -2007,9 +2063,13 @@ static void update_connection_info(struct connection_info *cn,
    {
      case MYSQL_AUDIT_CONNECTION_CONNECT:
        setup_connection_connect(cn, event);
+        if (event->status == 0 && event->proxy_user && event->proxy_user[0])
+          log_proxy(cn, event);
        break;
      case MYSQL_AUDIT_CONNECTION_CHANGE_USER:
        *after_action= AA_CHANGE_USER;
+        if (event->proxy_user && event->proxy_user[0])
+          log_proxy(cn, event);
        break;
      default:;
    }