WL#8048 - Non-intrusive refactoring of a ACL related context class.

WL description:
================
Most of the members of this class are public. Code accessing
and modifying them is spread in many files of MySQL code.

As part of this work log,

* All public data members of this context class are converted
  to private ones and public accessor methods are introduced
  for them. Code accessing data members directly will be replaced
  to use the getter method. And code modifying these members
  will be replaced with setter method.

* The THD class holds pointer to the object of ACL related
  context class. Accessor methods are introduced for this.
  And code accessing and modifying this member will be
  replaced with accessor methods.

Author: phulakun

libmysqld/lib_sql.cc

@@ -728,8 +728,8 @@ void *create_embedded_thd(int client_flag)
 
   thd->reset_db(NULL_CSTR);
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-  thd->security_ctx->db_access= DB_ACLS;
-  thd->security_ctx->master_access= ~NO_ACCESS;
+  thd->security_context()->set_db_access(DB_ACLS);
+  thd->security_context()->set_master_access(~NO_ACCESS);
 #endif
   thd->cur_data= 0;
   thd->first_data= 0;
@@ -778,15 +778,14 @@ int check_embedded_connection(MYSQL *mysql, const char *db)
 
   thd_init_client_charset(thd, mysql->charset->number);
   thd->update_charset();
-  Security_context *sctx= thd->security_ctx;
-  sctx->set_host(my_localhost);
-  sctx->host_or_ip= sctx->get_host()->ptr();
-  strmake(sctx->priv_host, (char*) my_localhost,  MAX_HOSTNAME-1);
-  strmake(sctx->priv_user, mysql->user,  USERNAME_LENGTH-1);
-  sctx->user= my_strdup(PSI_NOT_INSTRUMENTED,
-                        mysql->user, MYF(0));
-  sctx->proxy_user[0]= 0;
-  sctx->master_access= GLOBAL_ACLS;       // Full rights
+  Security_context *sctx= thd->security_context();
+  sctx->set_host_ptr(my_localhost, strlen(my_localhost));
+  sctx->set_host_or_ip_ptr(sctx->host().str, sctx->host().length);
+  sctx->assign_priv_user(mysql->user, strlen(mysql->user));
+  sctx->assign_user(mysql->user, strlen(mysql->user));
+  sctx->assign_proxy_user("", 0);
+  sctx->assign_priv_host(my_localhost, strlen(my_localhost));
+  sctx->set_master_access(GLOBAL_ACLS);       // Full rights
   emb_transfer_connect_attrs(mysql);
   /* Change database if necessary */
   if (!(result= (db && db[0] && mysql_change_db(thd, db_lex_cstr, false))))
@@ -806,7 +805,7 @@ int check_embedded_connection(MYSQL *mysql, const char *db)
   char *buf, *end;
   NET *net= &mysql->net;
   THD *thd= (THD*)mysql->thd;
-  Security_context *sctx= thd->security_ctx;
+  Security_context *sctx= thd->security_context();
   size_t connect_attrs_len=
     (mysql->server_capabilities & CLIENT_CONNECT_ATTRS &&
      mysql->options.extension) ?
@@ -858,7 +857,7 @@ int check_embedded_connection(MYSQL *mysql, const char *db)
 
   if (acl_authenticate(thd, 0, end - buf))
   {
-    x_free(thd->security_ctx->user);
+    x_free(thd->security_context()->user().str);
     goto err;
   }
   my_afree(buf);

sql/CMakeLists.txt

@@ -66,6 +66,7 @@ SET(SQL_SHARED_SOURCES
   auth/sql_user_table.cc
   auth/sql_user.cc
   auth/password.c
+  auth/sql_security_ctx.cc
   bootstrap.cc
   conn_handler/connection_handler_manager.cc 
   datadict.cc

sql/auth/sql_auth_cache.cc

@@ -1052,11 +1052,10 @@ bool acl_getroot(Security_context *sctx, char *user, char *host,
   DBUG_PRINT("enter", ("Host: '%s', Ip: '%s', User: '%s', db: '%s'",
                        (host ? host : "(NULL)"), (ip ? ip : "(NULL)"),
                        user, (db ? db : "(NULL)")));
-  sctx->user= user;
-  sctx->set_host(host);
-  sctx->set_ip(ip);
-
-  sctx->host_or_ip= host ? host : (ip ? ip : "");
+  sctx->set_user_ptr(user, user ? strlen(user) : 0);
+  sctx->set_host_ptr(host, host ? strlen(host) : 0);
+  sctx->set_ip_ptr(ip, ip? strlen(ip) : 0);
+  sctx->set_host_or_ip_ptr();
 
   if (!initialized)
   {
@@ -1069,9 +1068,10 @@ bool acl_getroot(Security_context *sctx, char *user, char *host,
 
   mysql_mutex_lock(&acl_cache->lock);
 
-  sctx->master_access= 0;
-  sctx->db_access= 0;
-  *sctx->priv_user= *sctx->priv_host= 0;
+  sctx->set_master_access(0);
+  sctx->set_db_access(0);
+  sctx->assign_priv_user("", 0);
+  sctx->assign_priv_host("", 0);
 
   /*
      Find acl entry in user database.
@@ -1105,25 +1105,20 @@ bool acl_getroot(Security_context *sctx, char *user, char *host,
         {
           if (!acl_db->db || (db && !wild_compare(db, acl_db->db, 0)))
           {
-            sctx->db_access= acl_db->access;
+            sctx->set_db_access(acl_db->access);
             break;
           }
         }
       }
     }
-    sctx->master_access= acl_user->access;
-
-    if (acl_user->user)
-      strmake(sctx->priv_user, user, USERNAME_LENGTH);
-    else
-      *sctx->priv_user= 0;
+    sctx->set_master_access(acl_user->access);
+    sctx->assign_priv_user(user, user ? strlen(user) : 0);
 
-    if (acl_user->host.get_host())
-      strmake(sctx->priv_host, acl_user->host.get_host(), MAX_HOSTNAME - 1);
-    else
-      *sctx->priv_host= 0;
+    sctx->assign_priv_host(acl_user->host.get_host(),
+                           acl_user->host.get_host() ?
+                           strlen(acl_user->host.get_host()) : 0);
 
-    sctx->password_expired= acl_user->password_expired;
+    sctx->set_password_expired(acl_user->password_expired);
   }
   mysql_mutex_unlock(&acl_cache->lock);
   DBUG_RETURN(res);
@@ -2639,8 +2634,8 @@ update_sctx_cache(Security_context *sctx, ACL_USER *acl_user_ptr, bool expired)
 {
   const char *acl_host= acl_user_ptr->host.get_host();
   const char *acl_user= acl_user_ptr->user;
-  const char *sctx_user= sctx->priv_user;
-  const char *sctx_host= sctx->priv_host;
+  const char *sctx_user= sctx->priv_user().str;
+  const char *sctx_host= sctx->priv_host().str;
 
   if (!acl_host)
     acl_host= "";
@@ -2653,7 +2648,7 @@ update_sctx_cache(Security_context *sctx, ACL_USER *acl_user_ptr, bool expired)
 
   if (!strcmp(acl_user, sctx_user) && !strcmp(acl_host, sctx_host))
   {
-    sctx->password_expired= expired;
+    sctx->set_password_expired(expired);
     return true;
   }
 

sql/auth/sql_authentication.cc

@@ -1944,13 +1944,14 @@ static void
 server_mpvio_initialize(THD *thd, MPVIO_EXT *mpvio,
                         Thd_charset_adapter *charset_adapter)
 {
+  LEX_CSTRING sctx_host_or_ip= thd->security_context()->host_or_ip();
+
   memset(mpvio, 0, sizeof(MPVIO_EXT));
   mpvio->read_packet= server_mpvio_read_packet;
   mpvio->write_packet= server_mpvio_write_packet;
   mpvio->info= server_mpvio_info;
-  mpvio->auth_info.host_or_ip= thd->security_ctx->host_or_ip;
-  mpvio->auth_info.host_or_ip_length= 
-    (unsigned int) strlen(thd->security_ctx->host_or_ip);
+  mpvio->auth_info.host_or_ip= sctx_host_or_ip.str;
+  mpvio->auth_info.host_or_ip_length= sctx_host_or_ip.length;
   mpvio->auth_info.user_name= NULL;
   mpvio->auth_info.user_name_length= 0;
 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
@@ -1968,8 +1969,8 @@ server_mpvio_initialize(THD *thd, MPVIO_EXT *mpvio,
   mpvio->thread_id= thd->thread_id();
   mpvio->server_status= &thd->server_status;
   mpvio->net= &thd->net;
-  mpvio->ip= (char *) thd->security_ctx->get_ip()->ptr();
-  mpvio->host= (char *) thd->security_ctx->get_host()->ptr();
+  mpvio->ip= (char *) thd->security_context()->ip().str;
+  mpvio->host= (char *) thd->security_context()->host().str;
   mpvio->charset_adapter= charset_adapter;
 }
 
@@ -1982,7 +1983,14 @@ server_mpvio_update_thd(THD *thd, MPVIO_EXT *mpvio)
   thd->max_client_packet_length= mpvio->max_client_packet_length;
   if (mpvio->client_capabilities & CLIENT_INTERACTIVE)
     thd->variables.net_wait_timeout= thd->variables.net_interactive_timeout;
-  thd->security_ctx->user= mpvio->auth_info.user_name;
+  thd->security_context()->assign_user(
+    mpvio->auth_info.user_name,
+    (mpvio->auth_info.user_name ? strlen(mpvio->auth_info.user_name) : 0));
+  if (mpvio->auth_info.user_name)
+    my_free(mpvio->auth_info.user_name);
+  LEX_CSTRING sctx_user= thd->security_context()->user();
+  mpvio->auth_info.user_name= (char *) sctx_user.str;
+  mpvio->auth_info.user_name_length= sctx_user.length;
   if (thd->client_capabilities & CLIENT_IGNORE_SPACE)
     thd->variables.sql_mode|= MODE_IGNORE_SPACE;
 }
@@ -2133,7 +2141,7 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
 
   server_mpvio_update_thd(thd, &mpvio);
 
-  Security_context *sctx= thd->security_ctx;
+  Security_context *sctx= thd->security_context();
   const ACL_USER *acl_user= mpvio.acl_user;
 
   thd->password= mpvio.auth_info.password_used;  // remember for error messages 
@@ -2193,7 +2201,7 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
     DBUG_RETURN (1);
   }
 
-  sctx->proxy_user[0]= 0;
+  sctx->assign_proxy_user("", 0);
 
   if (initialized) // if not --skip-grant-tables
   {
@@ -2203,13 +2211,13 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
     const char *auth_user = acl_user->user ? acl_user->user : "";
     ACL_PROXY_USER *proxy_user;
     /* check if the user is allowed to proxy as another user */
-    proxy_user= acl_find_proxy_user(auth_user, sctx->get_host()->ptr(),
-                                    sctx->get_ip()->ptr(),
+    proxy_user= acl_find_proxy_user(auth_user, sctx->host().str, sctx->ip().str,
                                     mpvio.auth_info.authenticated_as,
                                     &is_proxy_user);
     if (is_proxy_user)
     {
       ACL_USER *acl_proxy_user;
+      char proxy_user_buf[USERNAME_LENGTH + MAX_HOSTNAME + 5];
 
       /* we need to find the proxy user, but there was none */
       if (!proxy_user)
@@ -2222,9 +2230,10 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
         DBUG_RETURN(1);
       }
 
-      my_snprintf(sctx->proxy_user, sizeof(sctx->proxy_user) - 1,
+      my_snprintf(proxy_user_buf, sizeof(proxy_user_buf) - 1,
                   "'%s'@'%s'", auth_user,
                   acl_user->host.get_host() ? acl_user->host.get_host() : "");
+      sctx->assign_proxy_user(proxy_user_buf, strlen(proxy_user_buf));
 
       /* we're proxying : find the proxy user definition */
       mysql_mutex_lock(&acl_cache->lock);
@@ -2248,18 +2257,14 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
     }
 #endif /* NO_EMBEDDED_ACCESS_CHECKS */
 
-    sctx->master_access= acl_user->access;
-    if (acl_user->user)
-      strmake(sctx->priv_user, acl_user->user, USERNAME_LENGTH - 1);
-    else
-      *sctx->priv_user= 0;
-
-    if (acl_user->host.get_host())
-      strmake(sctx->priv_host, acl_user->host.get_host(), MAX_HOSTNAME - 1);
-    else
-      *sctx->priv_host= 0;
+    sctx->set_master_access(acl_user->access);
+    sctx->assign_priv_user(acl_user->user, acl_user->user ?
+                                           strlen(acl_user->user) : 0);
+    sctx->assign_priv_host(acl_user->host.get_host(),
+                           acl_user->host.get_host() ?
+                           strlen(acl_user->host.get_host()) : 0);
 
-    if (!(sctx->master_access & SUPER_ACL) && !thd->is_error())
+    if (!(sctx->check_access(SUPER_ACL)) && !thd->is_error())
     {
       mysql_mutex_lock(&LOCK_offline_mode);
       bool tmp_offline_mode= MY_TEST(offline_mode);
@@ -2318,8 +2323,10 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
          acl_user->user_resource.user_conn ||
          global_system_variables.max_user_connections) &&
         get_or_create_user_conn(thd,
-          (opt_old_style_user_limits ? sctx->user : sctx->priv_user),
-          (opt_old_style_user_limits ? sctx->host_or_ip : sctx->priv_host),
+          (opt_old_style_user_limits ? sctx->user().str :
+                                       sctx->priv_user().str),
+          (opt_old_style_user_limits ? sctx->host_or_ip().str :
+                                       sctx->priv_host().str),
           &acl_user->user_resource))
       DBUG_RETURN(1); // The error is set by get_or_create_user_conn()
 
@@ -2329,7 +2336,8 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
       This allows proxy user to execute queries even if proxied user password
       expires.
     */
-    sctx->password_expired= mpvio.acl_user->password_expired || password_time_expired;
+    sctx->set_password_expired(mpvio.acl_user->password_expired ||
+                               password_time_expired);
 #endif /* NO_EMBEDDED_ACCESS_CHECKS */
   }
   else
@@ -2349,12 +2357,12 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
               "Login user: '%s' Priv_user: '%s'  Using password: %s "
               "Access: %lu  db: '%s'",
               thd->client_capabilities, thd->max_client_packet_length,
-              sctx->host_or_ip, sctx->user, sctx->priv_user,
+              sctx->host_or_ip().str, sctx->user().str, sctx->priv_user().str,
               thd->password ? "yes": "no",
-              sctx->master_access, mpvio.db.str));
+              sctx->master_access(), mpvio.db.str));
 
   if (command == COM_CONNECT &&
-      !(thd->main_security_ctx.master_access & SUPER_ACL))
+      !(thd->m_main_security_ctx.check_access(SUPER_ACL)))
   {
 #ifndef EMBEDDED_LIBRARY
     if (!Connection_handler_manager::get_instance()->valid_connection_count())
@@ -2371,7 +2379,7 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
     set to 0 here because we don't have an active database yet (and we
     may not have an active database to set.
   */
-  sctx->db_access=0;
+  sctx->set_db_access(0);
 
   /* Change a database if necessary */
   if (mpvio.db.length)
@@ -2388,8 +2396,8 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
   }
 
   if (mpvio.auth_info.external_user[0])
-    sctx->set_external_user(my_strdup(key_memory_MPVIO_EXT_auth_info,
-                                      mpvio.auth_info.external_user, MYF(0)));
+    sctx->assign_external_user(mpvio.auth_info.external_user,
+                               strlen(mpvio.auth_info.external_user));
 
 
   if (res == CR_OK_HANDSHAKE_COMPLETE)
@@ -2398,9 +2406,11 @@ acl_authenticate(THD *thd, size_t com_change_user_pkt_len)
     my_ok(thd);
 
 #ifdef HAVE_PSI_THREAD_INTERFACE
+  LEX_CSTRING main_sctx_user= thd->m_main_security_ctx.user();
+  LEX_CSTRING main_sctx_host_or_ip= thd->m_main_security_ctx.host_or_ip();
   PSI_THREAD_CALL(set_thread_account)
-    (thd->main_security_ctx.user, strlen(thd->main_security_ctx.user),
-    thd->main_security_ctx.host_or_ip, strlen(thd->main_security_ctx.host_or_ip));
+    (main_sctx_user.str, main_sctx_user.length,
+     main_sctx_host_or_ip.str, main_sctx_host_or_ip.length);
 #endif /* HAVE_PSI_THREAD_INTERFACE */
 
   /* Ready to handle queries */