Bug #31427410: MISSING CHECKS ON INFORMATION_SCHEMA.USER_ATTRIBUTES

RB#24996

1. Implemented a CAN_ACCESS_USER() internal function that returns true
if:
  - if it's the slave thread
  - if the ACL system hasn't been initialized
  - if the user checked is the currently authenticated account
  - if the currently authenticated account has UPDATE on mysql.user
  - if the currently authenticated account has SELECT on mysql.user
  - if the currently authenticated account has CREATE USER and same
    SYSTEM_USER level
2. Made the I_S.USSER_ATTRIBUTES view use a WHERE clause with the new
  internal function
3. updated the test suite

Author: gkodinov

mysql-test/r/information_schema_ci.result

@@ -2257,6 +2257,8 @@ SELECT CAN_ACCESS_TABLE("test", "t1") AS f1, COLUMN_NAME AS F2  FROM INFORMATION
 ERROR HY000: Access to native function 'CAN_ACCESS_TABLE' is rejected.
 PREPARE stmt FROM 'SELECT CAN_ACCESS_TABLE("test", "t1") AS f1, COLUMN_NAME AS F2  FROM INFORMATION_SCHEMA.COLUMNS';
 ERROR HY000: Access to native function 'CAN_ACCESS_TABLE' is rejected.
+SELECT CAN_ACCESS_USER(NULL, NULL);
+ERROR HY000: Access to native function 'CAN_ACCESS_USER' is rejected.
 # Case 2: Invoking I_S native methods should be allowed through I_S queries.
 SELECT * FROM INFORMATION_SCHEMA.TABLES where table_name='t1';
 TABLE_CATALOG	TABLE_SCHEMA	TABLE_NAME	TABLE_TYPE	ENGINE	VERSION	ROW_FORMAT	TABLE_ROWS	AVG_ROW_LENGTH	DATA_LENGTH	MAX_DATA_LENGTH	INDEX_LENGTH	DATA_FREE	AUTO_INCREMENT	CREATE_TIME	UPDATE_TIME	CHECK_TIME	TABLE_COLLATION	CHECKSUM	CREATE_OPTIONS	TABLE_COMMENT

mysql-test/r/information_schema_cs.result

@@ -2257,6 +2257,8 @@ SELECT CAN_ACCESS_TABLE("test", "t1") AS f1, COLUMN_NAME AS F2  FROM INFORMATION
 ERROR HY000: Access to native function 'CAN_ACCESS_TABLE' is rejected.
 PREPARE stmt FROM 'SELECT CAN_ACCESS_TABLE("test", "t1") AS f1, COLUMN_NAME AS F2  FROM INFORMATION_SCHEMA.COLUMNS';
 ERROR HY000: Access to native function 'CAN_ACCESS_TABLE' is rejected.
+SELECT CAN_ACCESS_USER(NULL, NULL);
+ERROR HY000: Access to native function 'CAN_ACCESS_USER' is rejected.
 # Case 2: Invoking I_S native methods should be allowed through I_S queries.
 SELECT * FROM INFORMATION_SCHEMA.TABLES where table_name='t1';
 TABLE_CATALOG	TABLE_SCHEMA	TABLE_NAME	TABLE_TYPE	ENGINE	VERSION	ROW_FORMAT	TABLE_ROWS	AVG_ROW_LENGTH	DATA_LENGTH	MAX_DATA_LENGTH	INDEX_LENGTH	DATA_FREE	AUTO_INCREMENT	CREATE_TIME	UPDATE_TIME	CHECK_TIME	TABLE_COLLATION	CHECKSUM	CREATE_OPTIONS	TABLE_COMMENT

mysql-test/suite/information_schema/r/i_s_schema_definition_debug.result

@@ -1631,13 +1631,15 @@ CREATE OR REPLACE DEFINER=`mysql.infoschema`@`localhost` VIEW information_schema
   user AS USER,
   host AS HOST,
   user_attributes->>"$.metadata" AS `ATTRIBUTE` FROM 
-  mysql.user
+  mysql.user WHERE 
+  CAN_ACCESS_USER(mysql.user.user,mysql.user.host)
 
 INSERT INTO I_S_check_table(t) VALUES ('CREATE OR REPLACE DEFINER=`mysql.infoschema`@`localhost` VIEW information_schema.USER_ATTRIBUTES AS SELECT 
   user AS USER,
   host AS HOST,
   user_attributes->>"$.metadata" AS `ATTRIBUTE` FROM 
-  mysql.user
+  mysql.user WHERE 
+  CAN_ACCESS_USER(mysql.user.user,mysql.user.host)
 ');
 SET debug = '-d,fetch_system_view_definition';
 ########################################################################

mysql-test/suite/information_schema/t/i_s_schema_definition_debug.test

@@ -286,10 +286,10 @@ INSERT INTO I_S_published_schema
     'b1359fbef2feecf8dfc688dc0716cea8686905aeee15a0115bcbfdbc0dc8f456');
 INSERT INTO I_S_published_schema
   VALUES ('80022', '80022', 0,
-    '62fc3151c2e890ecc3d7b4b93b4660f2a5723235fa2d78b24d3c4c8c0a38ac51');
+    '53555f72c6938d7a343d6b344900d52acf4ebe228bb0d70b30eb1ad1ab693a8d');
 INSERT INTO I_S_published_schema
   VALUES ('80022', '80022', 1,
-    'f50b558841a43fa9cc085a72f8df2bb62b8af4c6904b7f0d44fc133e69b23368');
+    '6702af4a1d352b7c8a27280358b7fa95667c5b3e27d1a7f1e4ffbe791d00dffe');
 
 LET $checksum_version = `SELECT IF(ISNULL(mysqld_version), "0", i_s_version)
                   FROM I_S_published_schema i RIGHT OUTER JOIN whole_schema w

mysql-test/suite/rpl/t/rpl_alter_user.test

@@ -233,15 +233,15 @@ DROP USER u1@localhost;
 CREATE USER u1@localhost IDENTIFIED BY 'foo' ATTRIBUTE '{"trackingId": "12345"}';
 CREATE USER u2@localhost COMMENT 'This is account is used by my private LAMP project';
 --source include/sync_slave_sql_with_master.inc
---connect(slave_con1, localhost, u1, foo, test, $SLAVE_MYPORT,,SSL)
+--connect(slave_con1, localhost, root,, test, $SLAVE_MYPORT,,SSL)
 --echo [connection slave]
 SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES WHERE USER = 'u1' OR USER = 'u2';
 --connection master
 --echo [connection master]
 --disconnect slave_con1
 ALTER USER u1@localhost COMMENT 'TODO: Delete this user';
 --source include/sync_slave_sql_with_master.inc
---connect(slave_con1, localhost, u1, foo, test, $SLAVE_MYPORT,,SSL)
+--connect(slave_con1, localhost, root,, test, $SLAVE_MYPORT,,SSL)
 --echo [connection slave]
 SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES WHERE USER = 'u1';
 --let $comment = `SELECT JSON_EXTRACT(ATTRIBUTE, "$.comment") FROM INFORMATION_SCHEMA.USER_ATTRIBUTES WHERE USER= 'u1'`

mysql-test/t/information_schema_cs.test

@@ -2080,6 +2080,9 @@ SELECT CAN_ACCESS_TABLE("test", "t1") AS f1, COLUMN_NAME AS F2  FROM INFORMATION
 --error ER_NO_ACCESS_TO_NATIVE_FCT
 PREPARE stmt FROM 'SELECT CAN_ACCESS_TABLE("test", "t1") AS f1, COLUMN_NAME AS F2  FROM INFORMATION_SCHEMA.COLUMNS';
 
+--error ER_NO_ACCESS_TO_NATIVE_FCT
+SELECT CAN_ACCESS_USER(NULL, NULL);
+
 --echo # Case 2: Invoking I_S native methods should be allowed through I_S queries.
 --replace_column 6 # 7 # 8 # 9 # 10 # 11 # 12 # 13 # 14 # 15 # 16 # 17 # 18 # 19 # 20 # 21 #
 SELECT * FROM INFORMATION_SCHEMA.TABLES where table_name='t1';

sql/auth/auth_common.h

@@ -737,6 +737,7 @@ bool mysql_alter_user(THD *thd, List<LEX_USER> &list, bool if_exists);
 bool mysql_drop_user(THD *thd, List<LEX_USER> &list, bool if_exists,
                      bool drop_role);
 bool mysql_rename_user(THD *thd, List<LEX_USER> &list);
+bool acl_can_access_user(THD *thd, LEX_USER *user);
 
 /* sql_auth_cache */
 void init_acl_memory();

sql/auth/sql_security_ctx.cc

@@ -713,6 +713,8 @@ std::pair<bool, bool> Security_context::has_global_grant(
                                     auth_id.
                                     true  - consider as privilege exists
                                     false - consider as privilege do not exist
+  @param  [in]  throw_error         Flag to decide if error needs to be thrown
+  or not.
 
   @retval true    auth_id has the privilege but the current_auth does not, also
                   throws error.
@@ -721,7 +723,8 @@ std::pair<bool, bool> Security_context::has_global_grant(
 bool Security_context::can_operate_with(const Auth_id &auth_id,
                                         const std::string &privilege,
                                         bool cumulative /*= false */,
-                                        bool ignore_if_nonextant /*= true */) {
+                                        bool ignore_if_nonextant /*= true */,
+                                        bool throw_error /* = true */) {
   DBUG_TRACE;
   Acl_cache_lock_guard acl_cache_lock(current_thd,
                                       Acl_cache_lock_mode::READ_MODE);
@@ -736,7 +739,8 @@ bool Security_context::can_operate_with(const Auth_id &auth_id,
     if (ignore_if_nonextant)
       return false;
     else {
-      my_error(ER_USER_DOES_NOT_EXIST, MYF(0), auth_id.auth_str().c_str());
+      if (throw_error)
+        my_error(ER_USER_DOES_NOT_EXIST, MYF(0), auth_id.auth_str().c_str());
       return true;
     }
   }
@@ -748,7 +752,8 @@ bool Security_context::can_operate_with(const Auth_id &auth_id,
                       : true;
   }
   if (is_mismatch) {
-    my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), privilege.c_str());
+    if (throw_error)
+      my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), privilege.c_str());
   }
   return is_mismatch;
 }

sql/auth/sql_security_ctx.h

@@ -82,7 +82,8 @@ class Security_context {
                                          bool cumulative = false);
   bool can_operate_with(const Auth_id &auth_id, const std::string &privilege,
                         bool cumulative = false,
-                        bool ignore_if_nonextant = true);
+                        bool ignore_if_nonextant = true,
+                        bool throw_error = true);
   int activate_role(LEX_CSTRING user, LEX_CSTRING host,
                     bool validate_access = false);
   void clear_active_roles(void);

sql/auth/sql_user.cc

@@ -180,6 +180,57 @@ bool check_change_password(THD *thd, const char *host, const char *user,
   return false;
 }
 
+/**
+  Auxilary function for the CAN_ACCESS_USER internal function
+  used to check if a row from mysql.user can be accessed or not
+  by the current user
+
+  @arg thd the current thread
+  @arg user_arg the user account to check
+  @retval true the current user can access the user
+  @retval false the current user can't access the user
+
+  @sa @ref Item_func_can_access_user, @ref dd::system_views::User_attributes
+*/
+bool acl_can_access_user(THD *thd, LEX_USER *user_arg) {
+  /* if ACL is not initalized show everything */
+  if (!initialized) return true;
+
+  /* show everything if slave thread */
+  if (thd->slave_thread) return true;
+
+  LEX_USER *user = get_current_user(thd, user_arg);
+
+  /* hide the rows whose user can't be inited */
+  if (!user) return false;
+
+  Security_context *sctx = thd->security_context();
+
+  /* show if it's the same user */
+  if (!strcmp(sctx->priv_user().str, user->user.str) &&
+      !my_strcasecmp(system_charset_info, user->host.str,
+                     sctx->priv_host().str))
+    return true;
+
+  /* show if the current user has UPDATE on mysql.* */
+  if (!check_access(thd, UPDATE_ACL, consts::mysql.c_str(), nullptr, nullptr,
+                    true, true))
+    return true;
+
+  /* show if the current user has SELECT on mysql.* */
+  if (!check_access(thd, SELECT_ACL, consts::mysql.c_str(), nullptr, nullptr,
+                    true, true))
+    return true;
+
+  /* disable if the current user doesn't have SYSTEM_USER and the user account
+   * checked does */
+  if (sctx->can_operate_with(user, consts::system_user, false, true, false))
+    return false;
+
+  /* show if the current user has CREATE ACL, otherwise hide */
+  return sctx->check_access(CREATE_USER_ACL, consts::mysql);
+}
+
 /**
   Auxiliary function for constructing CREATE USER sql for a given user.
 

sql/dd/impl/system_views/user_attributes.cc

@@ -38,6 +38,7 @@ User_attributes::User_attributes() {
   m_target_def.add_field(FIELD_METADATA, "`ATTRIBUTE`",
                          "user_attributes->>\"$.metadata\"");
   m_target_def.add_from("mysql.user");
+  m_target_def.add_where("CAN_ACCESS_USER(mysql.user.user,mysql.user.host)");
 }
 
 }  // namespace system_views

sql/dd/info_schema/metadata.h

@@ -192,6 +192,7 @@ namespace info_schema {
   Changes from version 80021:
 
   - WL#13369: Added new I_S view 'SCHEMATA_EXTENSIONS'.
+  - Bug #31427410: Added a WHERE clause to I_S.USER_ATTRIBUTES
 
 
   80023: Next IS version number after the previous is public.

sql/item_create.cc

@@ -1638,6 +1638,7 @@ static const std::pair<const char *, Create_func *> func_array[] = {
     {"CAN_ACCESS_ROUTINE",
      SQL_FN_LIST_INTERNAL(Item_func_can_access_routine, 5)},
     {"CAN_ACCESS_EVENT", SQL_FN_INTERNAL(Item_func_can_access_event, 1)},
+    {"CAN_ACCESS_USER", SQL_FN_INTERNAL(Item_func_can_access_user, 2)},
     {"ICU_VERSION", SQL_FN(Item_func_icu_version, 0)},
     {"CAN_ACCESS_RESOURCE_GROUP",
      SQL_FN_INTERNAL(Item_func_can_access_resource_group, 1)},

sql/item_func.cc

@@ -8417,6 +8417,49 @@ longlong Item_func_can_access_table::val_int() {
   return 0;
 }
 
+/**
+  @brief
+    INFORMATION_SCHEMA picks metadata from new DD using system views.
+    In order for INFORMATION_SCHEMA to skip listing user accpounts for which
+    the user does not have rights, the following SQL function is used.
+
+  Syntax:
+    int CAN_ACCCESS_USER(user_part, host_part);
+
+  @returns,
+    1 - If current user has access.
+    0 - If not.
+
+  @sa @ref acl_can_access_user
+*/
+longlong Item_func_can_access_user::val_int() {
+  DBUG_TRACE;
+
+  THD *thd = current_thd;
+  // Read user, host
+  String user_name;
+  String *user_name_ptr = args[0]->val_str(&user_name);
+  String host_name;
+  String *host_name_ptr = args[1]->val_str(&host_name);
+  if (host_name_ptr == nullptr || user_name_ptr == nullptr) {
+    null_value = true;
+    return 0;
+  }
+
+  // Make sure we have safe string to access.
+  host_name_ptr->c_ptr_safe();
+  user_name_ptr->c_ptr_safe();
+  MYSQL_LEX_STRING user_str = {const_cast<char *>(user_name_ptr->ptr()),
+                               user_name_ptr->length()};
+  MYSQL_LEX_STRING
+  host_str = {const_cast<char *>(host_name_ptr->ptr()),
+              host_name_ptr->length()};
+  LEX_USER user;
+  if (!LEX_USER::init(&user, thd, &user_str, &host_str)) return 0;
+
+  return acl_can_access_user(thd, &user) ? 1 : 0;
+}
+
 /**
   @brief
     INFORMATION_SCHEMA picks metadata from new DD using system views. In

sql/item_func.h

@@ -2462,6 +2462,18 @@ class Item_func_can_access_table : public Item_int_func {
   }
 };
 
+class Item_func_can_access_user : public Item_int_func {
+ public:
+  Item_func_can_access_user(const POS &pos, Item *a, Item *b)
+      : Item_int_func(pos, a, b) {}
+  longlong val_int() override;
+  const char *func_name() const override { return "can_access_user"; }
+  bool resolve_type(THD *) override {
+    maybe_null = true;
+    return false;
+  }
+};
+
 class Item_func_can_access_trigger : public Item_int_func {
  public:
   Item_func_can_access_trigger(const POS &pos, Item *a, Item *b)

sql/table.cc

@@ -7277,6 +7277,11 @@ LEX_USER *LEX_USER::alloc(THD *thd, LEX_STRING *user_arg,
                           LEX_STRING *host_arg) {
   LEX_USER *ret = static_cast<LEX_USER *>(thd->alloc(sizeof(LEX_USER)));
   if (ret == nullptr) return nullptr;
+  return LEX_USER::init(ret, thd, user_arg, host_arg);
+}
+
+LEX_USER *LEX_USER::init(LEX_USER *ret, THD *thd, LEX_STRING *user_arg,
+                         LEX_STRING *host_arg) {
   /*
     Trim whitespace as the values will go to a CHAR field
     when stored.

sql/table.h

@@ -2456,6 +2456,12 @@ struct LEX_USER {
     explicitly.
   */
   static LEX_USER *alloc(THD *thd, LEX_STRING *user, LEX_STRING *host);
+  /*
+    Initialize the members of this struct. It is preferable to use this method
+    to initialize a LEX_USER rather initializing the members explicitly.
+  */
+  static LEX_USER *init(LEX_USER *to_init, THD *thd, LEX_STRING *user,
+                        LEX_STRING *host);
 };
 
 /**

unittest/gunit/dd_info_schema_native_func-t.cc

@@ -285,5 +285,10 @@ TEST_F(ISNativeFuncTest, AllNullArguments) {
   CREATE_ITEM(Item_func_internal_is_enabled_role, TWO_NULL_ARGS);
   item->val_int();
   EXPECT_EQ(1, item->null_value);
+
+  // CAN_ACCESS_USER(NULL, NULL, NULL)
+  CREATE_ITEM(Item_func_can_access_user, TWO_NULL_ARGS);
+  item->val_int();
+  EXPECT_EQ(1, item->null_value);
 }
 }  // namespace dd_info_schema_native_func