WL#14183: Support for MFA(multi factor authentication) and fido authentication.

This WL implements following:
1. Infrastructure to support multi factor authentication of mysql user accounts.
   a. Extend CREATE/ALTER USER syntax
   b. Extend SHOW CREATE USER
   c. Define new authentication policy for a given session
   d. New session tracker: SESSION_TRACK_CLIENT_PLUGIN_INFO
   e. Protocol changes to initiate 2nd and 3rd factor auth packet exchanges
2. Bundle open source code of cbor and libfido2 into extra folder.
3. New server side authentication plugin authentication_fido.so
4. New client side authentication plugin authentication_fido_client.so
5. Packaging related changes to bundle new libraries (libfido2.so,
   authentication_fido.so, authentication_fido_client.so) into rpms and debs.

RB#25510

Author: Bharathy Satish

CMakeLists.txt

@@ -714,7 +714,7 @@ INCLUDE(curl)
 INCLUDE(rapidjson)
 INCLUDE(fprofile)
 INCLUDE(gloves)
-
+INCLUDE(fido2)
 
 IF(UNIX)
   OPTION(WITH_VALGRIND "Valgrind instrumentation" OFF)
@@ -809,6 +809,16 @@ OPTION(WITH_AUTHENTICATION_CLIENT_PLUGINS
   "Build client-side authentication plugins, even if server-side are disabled"
   ${WITH_AUTHENTICATION_CLIENT_PLUGINS_DEFAULT})
 
+IF(WITH_INTERNAL AND (NOT SOLARIS))
+  SET(WITH_AUTHENTICATION_FIDO_DEFAULT ON)
+ELSE()
+  SET(WITH_AUTHENTICATION_FIDO_DEFAULT OFF)
+ENDIF()
+
+OPTION(WITH_AUTHENTICATION_FIDO
+  "Report error if the FIDO authentication plugin cannot be built."
+  ${WITH_AUTHENTICATION_FIDO_DEFAULT})
+
 # On windows we need a non-standard package for CURL.
 IF(WITH_INTERNAL AND UNIX)
   SET(WITH_CURL_DEFAULT "system")
@@ -1466,6 +1476,7 @@ SET(SYSTEM_LIBRARIES
   SSL
   ZLIB
   ZSTD
+  FIDO
   )
 
 SET(WITH_SYSTEM_LIBS_DEFAULT OFF)
@@ -1645,6 +1656,23 @@ ENDIF()
 # Add RapidJSON library.
 MYSQL_CHECK_RAPIDJSON()
 
+IF(WITH_AUTHENTICATION_FIDO)
+  IF(WITH_FIDO STREQUAL "system" AND
+    NOT WITH_SSL STREQUAL "system")
+      MESSAGE(WARNING "-DWITH_AUTHENTICATION_FIDO=ON")
+      MESSAGE(FATAL_ERROR "Inconsistent options for FIDO/SSL")
+  ENDIF()
+
+  # Add fido2 library
+  MYSQL_CHECK_FIDO()
+  MYSQL_CHECK_FIDO_DLLS()
+
+  IF(NOT FIDO_FOUND)
+    MESSAGE(FATAL_ERROR
+          "-DWITH_AUTHENTICATION_FIDO=ON, but missing required libraries")
+  ENDIF()
+ENDIF()
+
 MACRO(MY_INCLUDE_SYSTEM_DIRECTORIES LIBRARY)
   IF(${WITH_${LIBRARY}} STREQUAL "bundled")
     SET(BEFORE_OR_AFTER "BEFORE")
@@ -1694,11 +1722,27 @@ IF(LINUX)
   HAVE_PTHREAD_SETNAME_NP)
 ENDIF()
 
-IF(WITH_PROTOBUF STREQUAL "bundled")
+IF(WITH_PROTOBUF STREQUAL "bundled" OR WITH_FIDO STREQUAL "bundled")
   # Protobuf library is a target, installed to <root>/${INSTALL_PRIV_LIBDIR}
   # INSTALL_RPATH must be set for all binaries linking with libprotobuf.
-  SET(UNIX_INSTALL_RPATH_ORIGIN_PRIV_LIBDIR 1)
-  ADD_SUBDIRECTORY(extra/protobuf)
+  IF(WITH_PROTOBUF STREQUAL "bundled")
+    SET(UNIX_INSTALL_RPATH_ORIGIN_PRIV_LIBDIR 1)
+    ADD_SUBDIRECTORY(extra/protobuf)
+  ENDIF()
+
+  # The Fido library is a target, installed to <root>/${INSTALL_PRIV_LIBDIR}
+  # INSTALL_RPATH must be set for all binaries linking with libfido2.
+  IF(WITH_FIDO STREQUAL "bundled")
+    SET(INSTALL_RPATH_FOR_FIDO2 1)
+
+    # Silence warning about CMP0075
+    CMAKE_PUSH_CHECK_STATE()
+    SET(CMAKE_REQUIRED_LIBRARIES)
+    ADD_SUBDIRECTORY(${CMAKE_SOURCE_DIR}/${CBOR_BUNDLE_SRC_PATH})
+    ADD_SUBDIRECTORY(${CMAKE_SOURCE_DIR}/${FIDO_BUNDLE_SRC_PATH})
+    CMAKE_POP_CHECK_STATE()
+  ENDIF()
+
   IF(NOT APPLE AND NOT WIN32)
     # Debug versions of plugins may be installed to <root>/lib/plugin/debug
     FOREACH(LINK_FLAG

Doxyfile.in

@@ -2278,6 +2278,7 @@ SEARCH_INCLUDES        = YES
 # This tag requires that the tag SEARCH_INCLUDES is set to YES.
 
 INCLUDE_PATH           = . \
+                         client/include \
                          include \
                          include/mysql \
                          sql

client/CMakeLists.txt

@@ -32,13 +32,19 @@ ADD_SUBDIRECTORY(dump)
 ## Subdirectory for mysql_migrate_keyring code.
 ADD_SUBDIRECTORY(migrate_keyring)
 
+INCLUDE_DIRECTORIES(
+  ${CMAKE_CURRENT_SOURCE_DIR}/include
+)
+
 MYSQL_ADD_EXECUTABLE(mysql
   ${CMAKE_SOURCE_DIR}/sql-common/net_ns.cc
   completion_hash.cc
   mysql.cc
   pattern_matcher.cc
   readline.cc
   client_query_attributes.cc
+  multi_factor_passwordopt-vars.cc
+  ${CMAKE_CURRENT_SOURCE_DIR}/common/user_registration.cc
   LINK_LIBRARIES mysqlclient client_base ${EDITLINE_LIBRARY}
   )
 
@@ -68,18 +74,22 @@ MYSQL_ADD_EXECUTABLE(mysqltest
 MYSQL_ADD_EXECUTABLE(mysqlcheck
   check/mysqlcheck.cc
   check/mysqlcheck_core.cc
+  multi_factor_passwordopt-vars.cc
   LINK_LIBRARIES mysqlclient
   )
 MYSQL_ADD_EXECUTABLE(mysqldump
   mysqldump.cc
+  multi_factor_passwordopt-vars.cc
   LINK_LIBRARIES mysqlclient
   )
 MYSQL_ADD_EXECUTABLE(mysqlimport
   mysqlimport.cc
+  multi_factor_passwordopt-vars.cc
   LINK_LIBRARIES mysqlclient
   )
 MYSQL_ADD_EXECUTABLE(mysqlshow
   mysqlshow.cc
+  multi_factor_passwordopt-vars.cc
   LINK_LIBRARIES mysqlclient
   )
 
@@ -243,10 +253,12 @@ TARGET_INCLUDE_DIRECTORIES(mysqlbinlog PRIVATE ${CMAKE_SOURCE_DIR}/sql)
 
 MYSQL_ADD_EXECUTABLE(mysqladmin
   mysqladmin.cc
+  multi_factor_passwordopt-vars.cc
   LINK_LIBRARIES mysqlclient
   )
 MYSQL_ADD_EXECUTABLE(mysqlslap
   mysqlslap.cc
+  multi_factor_passwordopt-vars.cc
   LINK_LIBRARIES mysqlclient
   )
 MYSQL_ADD_EXECUTABLE(mysql_config_editor

client/base/mysql_connection_options.cc

@@ -100,10 +100,20 @@ void Mysql_connection_options::create_options() {
       ->set_value_step(1024)
       ->set_value(1024 * 1024L - 1024);
   this->create_new_password_option(
-          &this->m_password, "password",
+          &this->m_password[0], "password",
           "Password to use when connecting to server. If password is not given,"
           " it's solicited on the tty.")
       ->set_short_character('p');
+  this->create_new_password_option(
+      &this->m_password[0], "password1",
+      "Password for first factor authentication plugin.");
+  this->create_new_password_option(
+      &this->m_password[1], "password2",
+      "Password for second factor authentication plugin.");
+  this->create_new_password_option(
+      &this->m_password[2], "password3",
+      "Password for third factor authentication plugin.");
+
 #ifdef _WIN32
   this->create_new_option("pipe", "Use named pipes to connect to server.")
       ->set_short_character('W')
@@ -191,9 +201,8 @@ MYSQL *Mysql_connection_options::create_connection() {
                                      &this->m_get_server_public_key);
 
   if (!mysql_real_connect(connection, this->get_null_or_string(this->m_host),
-                          this->get_null_or_string(this->m_user),
-                          this->get_null_or_string(this->m_password), nullptr,
-                          this->m_mysql_port,
+                          this->get_null_or_string(this->m_user), nullptr,
+                          nullptr, this->m_mysql_port,
                           this->get_null_or_string(this->m_mysql_unix_port),
                           0)) {
     this->db_error(connection, "while connecting to the MySQL server");

client/base/mysql_connection_options.h

@@ -138,7 +138,7 @@ class Mysql_connection_options : public Composite_options_provider,
   uint32 m_max_allowed_packet;
   bool m_compress;
   std::optional<std::string> m_user;
-  std::optional<std::string> m_password;
+  std::optional<std::string> m_password[3];
   std::optional<std::string> m_default_charset;
   std::optional<std::string> m_server_public_key;
   bool m_get_server_public_key;

client/check/mysqlcheck.cc

@@ -57,17 +57,16 @@ static bool opt_alldbs = false, opt_check_only_changed = false,
             opt_extended = false, opt_compress = false, opt_databases = false,
             opt_fast = false, opt_medium_check = false, opt_quick = false,
             opt_all_in_1 = false, opt_silent = false, opt_auto_repair = false,
-            ignore_errors = false, tty_password = false, opt_frm = false,
-            debug_info_flag = false, debug_check_flag = false,
-            opt_fix_table_names = false, opt_fix_db_names = false,
-            opt_upgrade = false, opt_write_binlog = true;
+            ignore_errors = false, opt_frm = false, debug_info_flag = false,
+            debug_check_flag = false, opt_fix_table_names = false,
+            opt_fix_db_names = false, opt_upgrade = false,
+            opt_write_binlog = true;
 static uint verbose = 0, opt_mysql_port = 0;
 static uint opt_enable_cleartext_plugin = 0;
 static bool using_opt_enable_cleartext_plugin = false;
 static int my_end_arg;
 static char *opt_mysql_unix_port = nullptr;
-static char *opt_password = nullptr, *current_user = nullptr,
-            *current_host = nullptr;
+static char *current_user = nullptr, *current_host = nullptr;
 static const char *default_charset = nullptr;
 static char *opt_plugin_dir = nullptr, *opt_default_auth = nullptr;
 static int first_error = 0;
@@ -80,6 +79,8 @@ static char *shared_memory_base_name = 0;
 static uint opt_protocol = 0;
 static char *opt_bind_addr = nullptr;
 
+#include "multi_factor_passwordopt-vars.h"
+
 static struct my_option my_long_options[] = {
     {"all-databases", 'A',
      "Check all the databases. This is the same as --databases with all "
@@ -183,11 +184,7 @@ static struct my_option my_long_options[] = {
      nullptr, 0, nullptr},
     {"optimize", 'o', "Optimize table.", nullptr, nullptr, nullptr, GET_NO_ARG,
      NO_ARG, 0, 0, 0, nullptr, 0, nullptr},
-    {"password", 'p',
-     "Password to use when connecting to server. If password is not given, "
-     "it's solicited on the tty.",
-     nullptr, nullptr, nullptr, GET_PASSWORD, OPT_ARG, 0, 0, 0, nullptr, 0,
-     nullptr},
+#include "multi_factor_passwordopt-longopts.h"
 #ifdef _WIN32
     {"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
      NO_ARG, 0, 0, 0, 0, 0, 0},
@@ -267,7 +264,7 @@ static const char *load_default_groups[] = {"mysqlcheck", "client", nullptr};
 
 static void usage(void);
 static int get_options(int *argc, char ***argv, MEM_ROOT *alloc);
-static int dbConnect(char *host, char *user, char *passwd);
+static int dbConnect(char *host, char *user);
 static void dbDisconnect(char *host);
 static void DBerror(MYSQL *mysql, const string &when);
 static void safe_exit(int error);
@@ -331,24 +328,7 @@ static bool get_one_option(int optid, const struct my_option *opt,
     case 'o':
       what_to_do = DO_OPTIMIZE;
       break;
-    case 'p':
-      if (argument == disabled_my_option) {
-        // Don't require password
-        static char empty_password[] = {'\0'};
-        assert(empty_password[0] ==
-               '\0');  // Check that it has not been overwritten
-        argument = empty_password;
-      }
-      if (argument) {
-        char *start = argument;
-        my_free(opt_password);
-        opt_password = my_strdup(PSI_NOT_INSTRUMENTED, argument, MYF(MY_FAE));
-        while (*argument) *argument++ = 'x'; /* Destroy argument */
-        if (*start) start[1] = 0;            /* Cut length of argument */
-        tty_password = false;
-      } else
-        tty_password = true;
-      break;
+      PARSE_COMMAND_LINE_PASSWORD_OPTION;
     case 'r':
       what_to_do = DO_REPAIR;
       break;
@@ -454,13 +434,12 @@ static int get_options(int *argc, char ***argv, MEM_ROOT *alloc) {
     printf("for more information.\n");
     return 1;
   }
-  if (tty_password) opt_password = get_tty_password(NullS);
   if (debug_info_flag) my_end_arg = MY_CHECK_ERROR | MY_GIVE_INFO;
   if (debug_check_flag) my_end_arg = MY_CHECK_ERROR;
   return (0);
 } /* get_options */
 
-static int dbConnect(char *host, char *user, char *passwd) {
+static int dbConnect(char *host, char *user) {
   DBUG_TRACE;
   if (verbose) {
     fprintf(stderr, "# Connecting to %s...\n", host ? host : "localhost");
@@ -504,8 +483,9 @@ static int dbConnect(char *host, char *user, char *passwd) {
                  "mysqlcheck");
   set_server_public_key(&mysql_connection);
   set_get_server_public_key_option(&mysql_connection);
+  set_password_options(&mysql_connection);
   if (!(sock =
-            mysql_real_connect(&mysql_connection, host, user, passwd, nullptr,
+            mysql_real_connect(&mysql_connection, host, user, nullptr, nullptr,
                                opt_mysql_port, opt_mysql_unix_port, 0))) {
     DBerror(&mysql_connection, "when trying to connect");
     return 1;
@@ -544,7 +524,7 @@ int main(int argc, char **argv) {
     my_end(my_end_arg);
     exit(EX_USAGE);
   }
-  if (dbConnect(current_host, current_user, opt_password)) exit(EX_MYSQLERR);
+  if (dbConnect(current_host, current_user)) exit(EX_MYSQLERR);
 
   // Sun Studio does not work with range constructor from char** to string.
   vector<string> conv;
@@ -559,7 +539,7 @@ int main(int argc, char **argv) {
               DBerror);
 
   dbDisconnect(current_host);
-  my_free(opt_password);
+  free_passwords();
 #if defined(_WIN32)
   my_free(shared_memory_base_name);
 #endif