WL#7724 - Add support for proxy user mapping to

mysql_native_password and sha256_password authentication
plugins.

Author: Todd Farmer

include/mysql/plugin_auth_common.h

@@ -1,5 +1,5 @@
 #ifndef MYSQL_PLUGIN_AUTH_COMMON_INCLUDED
-/* Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -83,6 +83,12 @@
 */
 #define CR_OK_HANDSHAKE_COMPLETE -2
 
+/**
+Flag to be passed back to server from authentication plugins via
+authenticated_as when proxy mapping should be done by the server.
+*/
+#define PROXY_FLAG 0
+
 /*
   We need HANDLE definition if on Windows. Define WIN32_LEAN_AND_MEAN (if
   not already done) to minimize amount of imported declarations.

mysql-test/r/mysqld--help-notwin.result

@@ -152,6 +152,12 @@ The following options may be given as the first argument:
  Set the default character set.
  --character-sets-dir=name 
  Directory where character sets are
+ --check-proxy-users If set to FALSE (the default), then proxy user identity
+ will not be mapped for authentication plugins which
+ support mapping from grant tables.  When set to TRUE,
+ users associated with authentication plugins which signal
+ proxy user mapping should be done according to GRANT
+ PROXY privilege definition.
  -r, --chroot=name   Chroot mysqld daemon during startup.
  --collation-server=name 
  Set the default collation.
@@ -553,6 +559,13 @@ The following options may be given as the first argument:
  NULLS_UNEQUAL (default behavior for 4.1 and later),
  NULLS_EQUAL (emulate 4.0 behavior), and NULLS_IGNORED
  --myisam-use-mmap   Use memory mapping for reading and writing MyISAM tables
+ --mysql-native-password-proxy-users 
+ If set to FALSE (the default), then the
+ mysql_native_password plugin will not signal for
+ authenticated users to be checked for mapping to proxy
+ users.  When set to TRUE, the plugin will flag associated
+ authenticated accounts to be mapped to proxy users when
+ the server option check_proxy_users is enabled.
  --net-buffer-length=# 
  Buffer length for TCP/IP and socket communication
  --net-read-timeout=# 
@@ -958,6 +971,13 @@ The following options may be given as the first argument:
  Track changes to the 'session state'.
  --session-track-system-variables=name 
  Track changes in registered system variables.
+ --sha256-password-proxy-users 
+ If set to FALSE (the default), then the sha256_password
+ authentication plugin will not signal for authenticated
+ users to be checked for mapping to proxy users.  When set
+ to TRUE, the plugin will flag associated authenticated
+ accounts to be mapped to proxy users when the server
+ option check_proxy_users is enabled.
  --show-compatibility-56 
  SHOW commands / INFORMATION_SCHEMA tables compatible with
  MySQL 5.6
@@ -1185,6 +1205,7 @@ character-set-client-handshake TRUE
 character-set-filesystem binary
 character-set-server latin1
 character-sets-dir MYSQL_CHARSETSDIR/
+check-proxy-users FALSE
 chroot (No default value)
 collation-server latin1_swedish_ci
 completion-type NO_CHAIN
@@ -1315,6 +1336,7 @@ myisam-repair-threads 1
 myisam-sort-buffer-size 8388608
 myisam-stats-method nulls_unequal
 myisam-use-mmap FALSE
+mysql-native-password-proxy-users FALSE
 net-buffer-length 16384
 net-read-timeout 30
 net-retry-count 10
@@ -1426,6 +1448,7 @@ session-track-gtids OFF
 session-track-schema TRUE
 session-track-state-change FALSE
 session-track-system-variables time_zone,autocommit,character_set_client,character_set_results,character_set_connection
+sha256-password-proxy-users FALSE
 show-compatibility-56 TRUE
 show-old-temporals FALSE
 show-slave-auth-info FALSE

mysql-test/r/mysqld--help-win.result

@@ -152,6 +152,12 @@ The following options may be given as the first argument:
  Set the default character set.
  --character-sets-dir=name 
  Directory where character sets are
+ --check-proxy-users If set to FALSE (the default), then proxy user identity
+ will not be mapped for authentication plugins which
+ support mapping from grant tables.  When set to TRUE,
+ users associated with authentication plugins which signal
+ proxy user mapping should be done according to GRANT
+ PROXY privilege definition.
  -r, --chroot=name   Chroot mysqld daemon during startup.
  --collation-server=name 
  Set the default collation.
@@ -543,6 +549,13 @@ The following options may be given as the first argument:
  NULLS_UNEQUAL (default behavior for 4.1 and later),
  NULLS_EQUAL (emulate 4.0 behavior), and NULLS_IGNORED
  --myisam-use-mmap   Use memory mapping for reading and writing MyISAM tables
+ --mysql-native-password-proxy-users 
+ If set to FALSE (the default), then the
+ mysql_native_password plugin will not signal for
+ authenticated users to be checked for mapping to proxy
+ users.  When set to TRUE, the plugin will flag associated
+ authenticated accounts to be mapped to proxy users when
+ the server option check_proxy_users is enabled.
  --named-pipe        Enable the named pipe (NT)
  --net-buffer-length=# 
  Buffer length for TCP/IP and socket communication
@@ -949,6 +962,13 @@ The following options may be given as the first argument:
  Track changes to the 'session state'.
  --session-track-system-variables=name 
  Track changes in registered system variables.
+ --sha256-password-proxy-users 
+ If set to FALSE (the default), then the sha256_password
+ authentication plugin will not signal for authenticated
+ users to be checked for mapping to proxy users.  When set
+ to TRUE, the plugin will flag associated authenticated
+ accounts to be mapped to proxy users when the server
+ option check_proxy_users is enabled.
  --shared-memory     Enable the shared memory
  --shared-memory-base-name=name 
  Base name of shared memory
@@ -1184,6 +1204,7 @@ character-set-client-handshake TRUE
 character-set-filesystem binary
 character-set-server latin1
 character-sets-dir MYSQL_CHARSETSDIR/
+check-proxy-users FALSE
 chroot (No default value)
 collation-server latin1_swedish_ci
 completion-type NO_CHAIN
@@ -1310,6 +1331,7 @@ myisam-repair-threads 1
 myisam-sort-buffer-size 8388608
 myisam-stats-method nulls_unequal
 myisam-use-mmap FALSE
+mysql-native-password-proxy-users FALSE
 named-pipe FALSE
 net-buffer-length 16384
 net-read-timeout 30
@@ -1422,6 +1444,7 @@ session-track-gtids OFF
 session-track-schema TRUE
 session-track-state-change FALSE
 session-track-system-variables time_zone,autocommit,character_set_client,character_set_results,character_set_connection
+sha256-password-proxy-users FALSE
 shared-memory FALSE
 shared-memory-base-name MYSQL
 show-compatibility-56 TRUE

mysql-test/suite/perfschema/r/show_sanity.result

@@ -313,6 +313,9 @@ where show_mode = "5.7"
     and source = "P_S.SESSION_VARIABLES")
 order by show_mode, source, variable_name;
 SHOW_MODE	SOURCE	VARIABLE_NAME
+5.6	I_S.SESSION_VARIABLES	CHECK_PROXY_USERS
+5.6	I_S.SESSION_VARIABLES	MYSQL_NATIVE_PASSWORD_PROXY_USERS
+5.6	I_S.SESSION_VARIABLES	SHA256_PASSWORD_PROXY_USERS
 
 ================================================================================
 TEST 5

mysql-test/suite/sys_vars/r/check_proxy_users_basic.result

@@ -0,0 +1,115 @@
+SET @start_value = @@global.check_proxy_users;
+SELECT @start_value;
+@start_value
+0
+'#----- 1.2.2.3 Default ---------------------------------------#'
+SET @@global.check_proxy_users = 1;
+SET @@global.check_proxy_users = DEFAULT;
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+SET @@global.check_proxy_users = @start_value;
+SELECT @@global.check_proxy_users = 0;
+@@global.check_proxy_users = 0
+1
+'#----- 1.2.1 Valid values -------------------------------------#'
+SET @@global.check_proxy_users = 0;
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+SET @@global.check_proxy_users = 1;
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+1
+SET @@global.check_proxy_users = TRUE;
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+1
+SET @@global.check_proxy_users = FALSE;
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+SET @@global.check_proxy_users = ON;
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+1
+SET @@global.check_proxy_users = OFF;
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+'#----- 1.2.1 Invalid values -----------------------------------#'
+SET @@global.check_proxy_users = -1;
+ERROR 42000: Variable 'check_proxy_users' can't be set to the value of '-1'
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+SET @@global.check_proxy_users = 4294967296;
+ERROR 42000: Variable 'check_proxy_users' can't be set to the value of '4294967296'
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+SET @@global.check_proxy_users = 10240022115;
+ERROR 42000: Variable 'check_proxy_users' can't be set to the value of '10240022115'
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+SET @@global.check_proxy_users = 10000.01;
+ERROR 42000: Incorrect argument type to variable 'check_proxy_users'
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+SET @@global.check_proxy_users = -1024;
+ERROR 42000: Variable 'check_proxy_users' can't be set to the value of '-1024'
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+SET @@global.check_proxy_users = 42949672950;
+ERROR 42000: Variable 'check_proxy_users' can't be set to the value of '42949672950'
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+SET @@global.check_proxy_users = 'test';
+ERROR 42000: Variable 'check_proxy_users' can't be set to the value of 'test'
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+'#----- 1.2.5 Global/Session variable ---------------------------#'
+SET @@session.check_proxy_users = 0;
+ERROR HY000: Variable 'check_proxy_users' is a GLOBAL variable and should be set with SET GLOBAL
+SELECT @@check_proxy_users;
+@@check_proxy_users
+0
+SELECT IF(@@global.check_proxy_users, "ON", "OFF") = VARIABLE_VALUE 
+FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES 
+WHERE VARIABLE_NAME='check_proxy_users';
+IF(@@global.check_proxy_users, "ON", "OFF") = VARIABLE_VALUE
+1
+SELECT IF(@@check_proxy_users, "ON", "OFF") = VARIABLE_VALUE 
+FROM INFORMATION_SCHEMA.SESSION_VARIABLES 
+WHERE VARIABLE_NAME='check_proxy_users';
+IF(@@check_proxy_users, "ON", "OFF") = VARIABLE_VALUE
+1
+SET @@global.check_proxy_users = 1;
+SELECT @@check_proxy_users = @@global.check_proxy_users;
+@@check_proxy_users = @@global.check_proxy_users
+1
+'#----- 1.2.6 Global/Session variable ---------------------------#'
+SET check_proxy_users = 1;
+ERROR HY000: Variable 'check_proxy_users' is a GLOBAL variable and should be set with SET GLOBAL
+SELECT @@check_proxy_users;
+@@check_proxy_users
+1
+SET local.check_proxy_users = 1;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'local.check_proxy_users = 1' at line 1
+SELECT local.check_proxy_users;
+ERROR 42S02: Unknown table 'local' in field list
+SET global.check_proxy_users = 1;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'global.check_proxy_users = 1' at line 1
+SELECT global.check_proxy_users;
+ERROR 42S02: Unknown table 'global' in field list
+SELECT check_proxy_users = @@session.check_proxy_users;
+ERROR 42S22: Unknown column 'check_proxy_users' in 'field list'
+SET @@global.check_proxy_users = @start_value;
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0

mysql-test/suite/sys_vars/r/check_proxy_users_cmdl.result

@@ -0,0 +1,34 @@
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+1
+'#----- 1.1.1 Valid values on cmd line -----------------------#'
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+1
+'#----- 1.1.2 Valid values on cmd line -----------------------#'
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+1
+'#----- 1.1.3 Invalid values on cmd line -----------------------#'
+CALL mtr.add_suppression("option 'check_proxy_users': boolean value '-1' wasn't recognized. Set to OFF.");
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+CALL mtr.add_suppression("option 'check_proxy_users': boolean value '43698' wasn't recognized. Set to OFF.");
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+CALL mtr.add_suppression("option 'check_proxy_users': boolean value 'TEST' wasn't recognized. Set to OFF.");
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+'#----- 1.1.4 Invalid values on cmd line -----------------------#'
+CALL mtr.add_suppression("option 'check_proxy_users': boolean value ''test'' wasn't recognized. Set to OFF.");
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0
+'#----- 1.1.5 empty values on cmd line -----------------------#'
+CALL mtr.add_suppression("option 'check_proxy_users': boolean value '' wasn't recognized. Set to OFF.");
+SELECT @@global.check_proxy_users;
+@@global.check_proxy_users
+0

mysql-test/suite/sys_vars/r/check_proxy_users_func.result

@@ -0,0 +1,17 @@
+** Setup **
+
+SET @default_check_proxy_users = @@check_proxy_users;
+'#----- 1.2.4 superuser set variable -------------------------#'
+SET Global check_proxy_users=OFF;
+'#----- 1.2.4 others user set variable -----------------------#'
+** Creating new user with out super privilege**
+CREATE USER sameea;
+** Connecting connn using username 'sameea' **
+SET GLOBAL check_proxy_users=ON;
+ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+SET @@global.check_proxy_users=ON;
+ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+** Connection default **
+** Disconnecting connn **
+DROP USER sameea;
+SET global check_proxy_users = @default_check_proxy_users;