-
Notifications
You must be signed in to change notification settings - Fork 4k
/
Copy pathsql_mfa.h
238 lines (208 loc) · 8.14 KB
/
sql_mfa.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
/* Copyright (c) 2021, 2025, Oracle and/or its affiliates.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, version 2.0,
as published by the Free Software Foundation.
This program is designed to work with certain software (including
but not limited to OpenSSL) that is licensed under separate terms,
as designated in a particular file or component or in included license
documentation. The authors of MySQL hereby grant you an additional
permission to link the program and your derivative works with the
separately licensed software that they have either included with
the program or referenced in the documentation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License, version 2.0, for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#ifndef SQL_MFA_INCLUDED
#define SQL_MFA_INCLUDED
#include <string>
#include <vector>
#include "sql-common/json_dom.h" // Json_array
#include "sql/auth/authentication_policy.h"
#include "sql/auth/user_table.h"
#include "sql/mem_root_allocator.h"
#include "sql/sql_class.h"
#include "sql/table.h"
enum class nthfactor { NONE = 1, SECOND_FACTOR, THIRD_FACTOR };
class Multi_factor_auth_list;
class Multi_factor_auth_info;
using server_challenge_info_vector =
std::vector<std::pair<std::string, std::string>>;
/**
An interface to access information about Multi factor authentication
methods. This interface represents a chain of authentication plugins
for a given user account.
*/
class I_multi_factor_auth {
public:
virtual ~I_multi_factor_auth() = default;
/**
Helper methods to verify and update ALTER USER sql
when altering Multi factor authentication methods.
*/
virtual bool is_alter_allowed(THD *, LEX_USER *) { return false; }
virtual void alter_mfa(I_multi_factor_auth *) {}
/**
Helper method to validate Multi factor authentication methods.
*/
virtual bool validate_plugins_in_auth_chain(
THD *thd, const authentication_policy::Factors &policy_factors) = 0;
/**
Helper method to validate Multi factor authentication methods are
correct compared to authentication policy.
*/
virtual bool validate_against_authentication_policy(
THD *, const authentication_policy::Factors &) {
return false;
}
/**
method to add/delete Multi factor authentication methods in user_attributes
column.
*/
virtual bool update_user_attributes() = 0;
virtual void add_factor(I_multi_factor_auth *m [[maybe_unused]]) {}
/**
Helper methods to convert this interface into a valid JSON object
and vice versa.
*/
virtual bool serialize(Json_array &mfa_arr) = 0;
virtual bool deserialize(uint f, Json_dom *mfa_dom) = 0;
/**
Helper methods to do registration step.
*/
virtual bool init_registration(THD *, uint) = 0;
virtual bool finish_registration(THD *, LEX_USER *, uint) = 0;
virtual bool is_passwordless() = 0;
/**
Fill needed info in LEX_USER::mfa_list for query rewrite
*/
virtual void get_info_for_query_rewrite(THD *, LEX_USER *) = 0;
/**
Fill in generated passwords from respective Multi factor authentication
methods
*/
virtual void get_generated_passwords(Userhostpassword_list &gp, const char *u,
const char *h) = 0;
/**
Fill in server challenge generated as part of initiate registration step.
*/
virtual void get_server_challenge_info(server_challenge_info_vector &sc) = 0;
/**
Get methods.
*/
Multi_factor_auth_list *get_multi_factor_auth_list() {
return down_cast<Multi_factor_auth_list *>(this);
}
Multi_factor_auth_info *get_multi_factor_auth_info() {
return down_cast<Multi_factor_auth_info *>(this);
}
};
template <typename T>
using my_vector = std::vector<T, Mem_root_allocator<T>>;
class Multi_factor_auth_list : public I_multi_factor_auth {
private:
/* multi_factor_auth hierarchy */
my_vector<I_multi_factor_auth *> m_factor;
public:
Multi_factor_auth_list(MEM_ROOT *);
~Multi_factor_auth_list() override;
my_vector<I_multi_factor_auth *> &get_mfa_list();
size_t get_mfa_list_size();
bool is_alter_allowed(THD *, LEX_USER *) override;
void alter_mfa(I_multi_factor_auth *) override;
bool validate_plugins_in_auth_chain(
THD *thd, const authentication_policy::Factors &policy_factors) override;
bool validate_against_authentication_policy(
THD *thd, const authentication_policy::Factors &policy_factors) override;
bool update_user_attributes() override;
void add_factor(I_multi_factor_auth *m) override;
bool serialize(Json_array &mfa_arr) override;
bool deserialize(uint f, Json_dom *mfa_dom) override;
bool init_registration(THD *, uint) override;
bool finish_registration(THD *, LEX_USER *, uint) override;
bool is_passwordless() override;
void get_info_for_query_rewrite(THD *, LEX_USER *) override;
void get_generated_passwords(Userhostpassword_list &gp, const char *u,
const char *h) override;
void get_server_challenge_info(server_challenge_info_vector &sc) override;
private:
/*
This methods ensures that hierarchy of m_factor is always
2FA followed by 3FA.
*/
void sort_mfa();
};
/*
This class represents each individual factor from chain of
authentication plugins for a given user account.
*/
class Multi_factor_auth_info : public I_multi_factor_auth {
private:
MEM_ROOT *m_mem_root;
LEX_MFA *m_multi_factor_auth;
acl_table::Pod_user_what_to_update m_update;
public:
Multi_factor_auth_info(MEM_ROOT *mem_root);
Multi_factor_auth_info(MEM_ROOT *mem_root, LEX_MFA *m);
~Multi_factor_auth_info() override {}
/* validate Multi factor authentication plugins during ACL DDL */
bool validate_plugins_in_auth_chain(
THD *thd, const authentication_policy::Factors &policy_factors) override;
/* update user attributes */
bool update_user_attributes() override;
/* construct json object out of user attributes column */
bool serialize(Json_array &mfa_arr) override;
bool deserialize(uint f, Json_dom *mfa_dom) override;
/* helper methods to do registration */
bool init_registration(THD *, uint) override;
bool finish_registration(THD *, LEX_USER *, uint) override;
bool is_passwordless() override;
void get_info_for_query_rewrite(THD *, LEX_USER *) override;
void get_generated_passwords(Userhostpassword_list &gp, const char *u,
const char *h) override;
void get_server_challenge_info(server_challenge_info_vector &sc) override;
/* during ALTER USER copy attributes from ACL_USER */
Multi_factor_auth_info &operator=(Multi_factor_auth_info &new_af);
private:
/*
validate Multi factor authentication attributes read from row of
mysql.user table
*/
bool validate_row();
public:
bool is_identified_by();
bool is_identified_with();
LEX_CSTRING &plugin_name();
const char *get_auth_str();
size_t get_auth_str_len();
const char *get_plugin_str();
size_t get_plugin_str_len();
const char *get_generated_password_str();
size_t get_generated_password_len();
const char *get_client_plugin_str();
size_t get_client_plugin_len();
nthfactor get_factor();
unsigned int get_nth_factor();
bool is_add_factor();
bool is_drop_factor();
bool is_modify_factor();
bool get_init_registration();
bool get_finish_registration();
bool get_requires_registration();
bool get_unregister();
LEX_MFA *get_lex_mfa();
void set_auth_str(const char *, size_t);
void set_plugin_str(const char *, size_t);
void set_generated_password(const char *, size_t);
void set_client_plugin(const char *, size_t);
void set_factor(nthfactor f);
void set_passwordless(int v);
void set_init_registration(bool v);
void set_finish_registration(bool v);
void set_requires_registration(int v);
std::string get_command_string(enum_sql_command sql_command);
};
#endif /* SQL_MFA_INCLUDED */