From df19d16f14d71b86b3419e7c0eb346be0e777f5a Mon Sep 17 00:00:00 2001 From: Christos Soulios <1561376+csoulios@users.noreply.github.com> Date: Thu, 27 May 2021 02:48:17 +0300 Subject: [PATCH] Passed attributes as param to LDAP auth Removed ldap_ctx as ldap context is managed in the plugin itself --- include/MySQL_LDAP_Authentication.hpp | 69 +++------------------------ include/MySQL_Session.h | 2 +- lib/MySQL_Protocol.cpp | 22 +++++---- lib/MySQL_Session.cpp | 17 +++---- 4 files changed, 26 insertions(+), 84 deletions(-) diff --git a/include/MySQL_LDAP_Authentication.hpp b/include/MySQL_LDAP_Authentication.hpp index 3d155a857..aaa618394 100644 --- a/include/MySQL_LDAP_Authentication.hpp +++ b/include/MySQL_LDAP_Authentication.hpp @@ -1,81 +1,24 @@ #ifndef CLASS_MYSQL_LDAP_AUTHENTICATION_H #define CLASS_MYSQL_LDAP_AUTHENTICATION_H -/* -#include "proxysql.h" -#include "cpp.h" - -#ifndef LDAP_ACCOUNT_DETAILS_T -#define LDAP_ACCOUNT_DETAILS_T -typedef struct _ldap_account_details_t { - char *username; - char *password; - void *sha1_pass; - bool use_ssl; - int default_hostgroup; - char *default_schema; - bool schema_locked; - bool transaction_persistent; -// bool fast_forward; -// int max_connections; -// int num_connections_used; -// bool __frontend; // this is used only during the dump -// bool __backend; // this is used only during the dump -// bool __active; - unsigned long long inserted_at; - char *ad_group; -} ldap_account_details_t; - -typedef std::map umap_auth; -#endif // LDAP_ACCOUNT_DETAILS_T - -#ifdef DEBUG -#define DEB "_DEBUG" -#else -#define DEB "" -#endif // DEBUG -#define MYSQL_LDAP_AUTHENTICATION_VERSION "1.0.0000" DEB - - -class PtrArray; - -#ifndef CREDS_GROUPS_T -#define CREDS_GROUPS_T -typedef struct _creds_group_t { - pthread_rwlock_t lock; - umap_auth bt_map; - PtrArray *cred_array; -} creds_group_t; -#endif // CREDS_GROUPS_T -*/ - - class MySQL_LDAP_Authentication { -/* - private: -// creds_group_t creds_backends; - creds_group_t creds_frontends; - bool _reset(enum cred_username_type usertype); -// uint64_t _get_runtime_checksum(enum cred_username_type usertype); -*/ - public: +public: MySQL_LDAP_Authentication() {}; virtual ~MySQL_LDAP_Authentication() {}; virtual bool add(char *username, char *backend_username, char *password, enum cred_username_type usertype, bool use_ssl, int default_hostgroup, char *default_schema, bool schema_locked, bool transaction_persistent, bool fast_forward, int max_connections) {return false;}; virtual bool del(char *username, enum cred_username_type usertype, bool set_lock=true) {return false;}; virtual bool reset() {return false;}; virtual void print_version() {}; - virtual char * lookup(void *ldap_ctx, char *username, char *pass, enum cred_username_type usertype, bool *use_ssl, int *default_hostgroup, char **default_schema, bool *schema_locked, bool *transaction_persistent, bool *fast_forward, int *max_connections, void **sha1_pass, char **backend_username) {return NULL;}; - //virtual int dump_all_users(account_details_t ***, bool _complete=true) {return 0;}; + virtual char * lookup(char *username, char *pass, + enum cred_username_type usertype, bool *use_ssl, int *default_hostgroup, + char **default_schema, bool *schema_locked, bool *transaction_persistent, + bool *fast_forward, int *max_connections, void **sha1_pass, char **attributes, + char **backend_username) {return NULL;}; virtual int increase_frontend_user_connections(char *username, int *mc=NULL) {return 0;}; virtual void decrease_frontend_user_connections(char *username) {}; virtual void set_all_inactive(enum cred_username_type usertype) {}; virtual void remove_inactives(enum cred_username_type usertype) {}; virtual bool set_SHA1(char *username, enum cred_username_type usertype, void *sha_pass) {return false;}; -// unsigned int memory_usage(); -// uint64_t get_runtime_checksum(); - virtual void * ldap_ctx_init() {return NULL;}; - virtual void ldap_ctx_free(void *) {}; virtual char **get_variables_list() {return NULL;} virtual bool has_variable(const char *name) {return false;}; virtual void wrlock() {}; diff --git a/include/MySQL_Session.h b/include/MySQL_Session.h index 021629c83..0fa0330e4 100644 --- a/include/MySQL_Session.h +++ b/include/MySQL_Session.h @@ -239,7 +239,7 @@ class MySQL_Session Session_Regex **match_regexes; - void *ldap_ctx; + bool use_ldap_auth; // this variable is relevant only if status == SETTING_VARIABLE enum variable_name changing_variable_idx; diff --git a/lib/MySQL_Protocol.cpp b/lib/MySQL_Protocol.cpp index 8fee40f09..4aa06560c 100644 --- a/lib/MySQL_Protocol.cpp +++ b/lib/MySQL_Protocol.cpp @@ -1734,26 +1734,26 @@ bool MySQL_Protocol::process_pkt_handshake_response(unsigned char *pkt, unsigned #ifdef DEBUG if (dump_pkt) { __dump_pkt(__func__,pkt,len); } #endif - bool ret=false; + bool ret = false; unsigned int charset; uint32_t capabilities = 0; uint32_t max_pkt; uint32_t pass_len; - unsigned char *user=NULL; - char *db=NULL; + unsigned char *user = NULL; + char *db = NULL; char *db_tmp = NULL; unsigned char *pass = NULL; MySQL_Connection *myconn = NULL; - char *password=NULL; - bool use_ssl=false; - bool _ret_use_ssl=false; + char *password = NULL; + bool use_ssl = false; + bool _ret_use_ssl = false; unsigned char *auth_plugin = NULL; int auth_plugin_id = 0; char reply[SHA_DIGEST_LENGTH+1]; reply[SHA_DIGEST_LENGTH]='\0'; int default_hostgroup=-1; - char *default_schema=NULL; + char *default_schema = NULL; char *attributes = NULL; bool schema_locked; bool transaction_persistent = true; @@ -2076,8 +2076,10 @@ __do_auth: } #endif // debug char *backend_username = NULL; - (*myds)->sess->ldap_ctx = GloMyLdapAuth->ldap_ctx_init(); - password = GloMyLdapAuth->lookup((*myds)->sess->ldap_ctx, (char *)user, (char *)pass, USERNAME_FRONTEND, &_ret_use_ssl, &default_hostgroup, &default_schema, &schema_locked, &transaction_persistent, &fast_forward, &max_connections, &sha1_pass, &backend_username); + (*myds)->sess->use_ldap_auth = true; + password = GloMyLdapAuth->lookup((char *) user, (char *) pass, USERNAME_FRONTEND, + &_ret_use_ssl, &default_hostgroup, &default_schema, &schema_locked, + &transaction_persistent, &fast_forward, &max_connections, &sha1_pass, &attributes, &backend_username); if (password) { #ifdef DEBUG char *tmp_pass=strdup(password); @@ -2090,7 +2092,7 @@ __do_auth: #endif // debug (*myds)->sess->default_hostgroup=default_hostgroup; (*myds)->sess->default_schema=default_schema; // just the pointer is passed - (*myds)->sess->user_attributes = attributes; // just the pointer is passed , but for now not available in LDAP + (*myds)->sess->user_attributes = attributes; // just the pointer is passed, LDAP returns empty string #ifdef DEBUG debug_spiffe_id(user,attributes, __LINE__, __func__); #endif diff --git a/lib/MySQL_Session.cpp b/lib/MySQL_Session.cpp index d8d9594c8..abc842572 100644 --- a/lib/MySQL_Session.cpp +++ b/lib/MySQL_Session.cpp @@ -504,7 +504,7 @@ MySQL_Session::MySQL_Session() { last_insert_id=0; // #1093 last_HG_affected_rows = -1; // #1421 : advanced support for LAST_INSERT_ID() - ldap_ctx = NULL; + use_ldap_auth = false; } void MySQL_Session::init() { @@ -588,6 +588,7 @@ MySQL_Session::~MySQL_Session() { } if (user_attributes) { free(user_attributes); + user_attributes = NULL; } proxy_debug(PROXY_DEBUG_NET,1,"Thread=%p, Session=%p -- Shutdown Session %p\n" , this->thread, this, this); delete command_counters; @@ -601,10 +602,6 @@ MySQL_Session::~MySQL_Session() { __sync_sub_and_fetch(&GloMTH->status_variables.mirror_sessions_current,1); GloMTH->status_variables.p_gauge_array[p_th_gauge::mirror_concurrency]->Decrement(); } - if (ldap_ctx) { - GloMyLdapAuth->ldap_ctx_free(ldap_ctx); - ldap_ctx = NULL; - } } @@ -2016,7 +2013,7 @@ bool MySQL_Session::handler_again___status_SETTING_LDAP_USER_VARIABLE(int *_rc) enum session_status st=status; if ( - (GloMyLdapAuth==NULL) || (ldap_ctx==NULL) + (GloMyLdapAuth==NULL) || (use_ldap_auth==false) || (client_myds==NULL || client_myds->myconn==NULL || client_myds->myconn->userinfo==NULL) ) { // nothing to do @@ -4391,7 +4388,7 @@ handler_again: if (handler_again___verify_init_connect()) { goto handler_again; } - if (ldap_ctx) { + if (use_ldap_auth) { if (handler_again___verify_ldap_user_variable()) { goto handler_again; } @@ -4929,7 +4926,7 @@ void MySQL_Session::handler___status_CONNECTING_CLIENT___STATE_SERVER_HANDSHAKE( //#endif // TEST_AURORA || TEST_GALERA || TEST_GROUPREP case PROXYSQL_SESSION_MYSQL: proxy_debug(PROXY_DEBUG_MYSQL_CONNECTION,8,"Session=%p , DS=%p , session_type=PROXYSQL_SESSION_MYSQL\n", this, client_myds); - if (ldap_ctx==NULL) { + if (use_ldap_auth == false) { free_users=GloMyAuth->increase_frontend_user_connections(client_myds->myconn->userinfo->username, &used_users); } else { free_users=GloMyLdapAuth->increase_frontend_user_connections(client_myds->myconn->userinfo->username, &used_users); @@ -6205,7 +6202,7 @@ void MySQL_Session::handler___status_WAITING_CLIENT_DATA___STATE_SLEEP___MYSQL_C reset(); init(); if (client_authenticated) { - if (ldap_ctx==NULL) { + if (use_ldap_auth == false) { GloMyAuth->decrease_frontend_user_connections(client_myds->myconn->userinfo->username); } else { GloMyLdapAuth->decrease_frontend_user_connections(client_myds->myconn->userinfo->username); @@ -6948,7 +6945,7 @@ bool MySQL_Session::handle_command_query_kill(PtrSize_t *pkt) { void MySQL_Session::add_ldap_comment_to_pkt(PtrSize_t *_pkt) { if (GloMyLdapAuth==NULL) return; - if (ldap_ctx==NULL) + if (use_ldap_auth == false) return; if (client_myds==NULL || client_myds->myconn==NULL || client_myds->myconn->userinfo==NULL) return;